I have log file say A,B,C and their corresponding index is say index_A,index_B,index_C.
I want to perform stats count on all three indexes, and combine them to show as Timechart. I used the following query.
index="index_A"
"[ERROR]" | timechart count as
temp1 | appendcols [search index
= "index_B" | timechart count as temp2 ] |
appendcols [search index =
"index_C" | timechart
count as temp3]
This query is giving me correct result. The TImechart is shown above.
The issue is when I click on the Timechart to get the corresponding events for corresponding index, it always shows me the events of index_A only (even if I choose index_B or index_C).
This is because I had mentioned index_A at the starting of search query.
What changes do I need to make so that if I click on index other then index_A, I'll get the corresponding events?
@kapilbk1996, While using subsearches default drilldown will be limited to your main search. Following are your couple of options.
Option 1: Keep a single base search for various indexes:
(index="index_A" AND "[ERROR]") OR (index="index_B") OR (index="index_C")
| timechart count by index
| rename index_A as temp1
| rename index_B as temp2
| rename index_C as temp3
Option 2: Create your own drilldown using predefined drilldown tokens: https://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
@kapilbk1996, While using subsearches default drilldown will be limited to your main search. Following are your couple of options.
Option 1: Keep a single base search for various indexes:
(index="index_A" AND "[ERROR]") OR (index="index_B") OR (index="index_C")
| timechart count by index
| rename index_A as temp1
| rename index_B as temp2
| rename index_C as temp3
Option 2: Create your own drilldown using predefined drilldown tokens: https://docs.splunk.com/Documentation/Splunk/latest/Viz/DrilldownIntro
@ niketnilay thank you for quick response.
option 1 solved my issue.