Hi all
First search is
( host=wjb2* NOT host=wjb2stl22 NOT host=wjb2*23 NOT host=wjb2*24 NOT host=wjb2*25 NOT host=wjb2*26) "[/clientapi/walletapi/*/login]" "User successfully authenticated for" NOT "healthcheckcdm@company.com" |fillnull value=NULL | timechart span=1d count
Second search is
( host=wjb2* NOT host=wjb2stl22 NOT host=wjb2*23 NOT host=wjb2*24 NOT host=wjb2*25 NOT host=wjb2*26) "[/clientapi/walletapi/*/login]" "error code" | rex "Error Code : (?.*)," | rex "Error Message : (?.*)" | eval Error_Message=if(Error_Code="USER_NOT_FOUND" AND Error_Message="User authentication failed", "Invalid Password", Error_Message) | eval Error_Message=if(Error_Message="Authentication failed due to invalid username/password ", "Invalid Username", Error_Message) |fillnull value=NULL | timechart span=1d count
Want to combine both results of two different searches to calculate rate !!
Maybe you're looking for the append command?
( host=wjb2* NOT host=wjb2stl22 NOT host=wjb2*23 NOT host=wjb2*24 NOT host=wjb2*25 NOT host=wjb2*26) "[/clientapi/walletapi/*/login]" "User successfully authenticated for" NOT "healthcheckcdm@company.com"
| append [ search
( host=wjb2* NOT host=wjb2stl22 NOT host=wjb2*23 NOT host=wjb2*24 NOT host=wjb2*25 NOT host=wjb2*26) "[/clientapi/walletapi//login]" "error code" | rex "Error Code : (?.)," | rex "Error Message : (?.*)" | eval Error_Message=if(Error_Code="USER_NOT_FOUND" AND Error_Message="User authentication failed", "Invalid Password", Error_Message) | eval Error_Message=if(Error_Message="Authentication failed due to invalid username/password ", "Invalid Username", Error_Message)
]
|fillnull value=NULL | timechart span=1d count