Here is the example of the search looks like :
index=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/09/2022:00:00:00 latest=05/09/2022:24:00:00 )| rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index
| top xyzApi test_filed_1test_filed_1 index limit=20 | appendcols [ searchindex=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/16/2022:00:00:00 latest=05/16/2022:24:00:00 ) || rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index
| top xyzApi test_filed_1test_filed_1 index limit=20 ]
Ideally i want to run the search for 9th and 16 of this monday and get the count of each day and compare , I'm not able to divide the count for each day
Both top commands are creating fields with the same names (count and percent) - rename these after the first top
index=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/09/2022:00:00:00 latest=05/09/2022:24:00:00 )| rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index
| top xyzApi test_filed_1test_filed_1 index limit=20
| rename count as count09 percent as percent09
| appendcols [ searchindex=x* OR index=y* OR index=z* Iabcd 12_* ( earliest=05/16/2022:00:00:00 latest=05/16/2022:24:00:00 ) || rex field=_raw "timerField:\d+:\d+:\d+:\d+ (?<xyzApi>\w+)" | fields +xyzApi test_filed_1test_filed_1 index
| top xyzApi test_filed_1test_filed_1 index limit=20 ]
@ITWhisperer When i renamed the count and percent they are showing up as empty columns
What is the search you are using for this result?
Hi
have you look timewrap -command? I think that this can solve your issue. There are quite many answers about this which you could easily found by google.
r. Ismo