Hello,
I am trying to create a query which will help me combine results from two search results by doing this:
index=some_index source="log_source" AND "Not Updated - sourceId"
| stats count as RejectedEvents
| appendcols [
search index=some_index source="log_source"
| rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
| stats sum(numberOfMessage) as ProcessedEvents
]
| eval total = ProcessedEvents + RejectedEvents
| fields total
This query works fine, but is insanely slow. Any help on making this better?
Try this:
index="some_index" AND source="log_source"
| rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
| stats sum(numberOfMessage) AS ProcessedEvents count AS total_raw count(eval(searchmatch("Not Updated - sourceId"))) AS RejectedEvents
| eval total_true = ProcessedEvents + RejectedEvents
This may be a little better.
(index=some_index source="log_source") OR (index=some_index source="log_source" "Not Updated - sourceId" )
| eval Rejected = if (match(_raw, "Not Updated - sourceId"), 1, 0)
| rex ".*Batch info: completed, processed entities: (?<numberOfMessage>.*)"
| stats sum(Rejected) as RejectedEvents, sum(numberOfMessage) as ProcessedEvents
| eval total = ProcessedEvents + RejectedEvents
| fields total