I'm not sure if this is a multisearch or a join or something else, but I want to chart multiple values for different sourcetypes.
For example:
Sourcetype A
field1 field2 field3 field4
Sourcetype B
field5 field6 field7 field8
Chart values(field1), values(field2), values(field3), values(field6), values(field7)
I want to search for something where the search string will be contained in field 1 & 5 will be the same & then collect all the data from those lines in Sourcetypes A & B
I get Sourcetype A or B.. but not both. However, in the "Interesting Fields" from the search, I get everything so I know the data is there.
Seems like this would be a start:
(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField
But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?
Seems like this would be a start:
(sourcetype=A field1=*) OR (sourcetype=B field5=*)
| eval newField=coalesce(field1,field5)
| stats values(field2) as field2 values(field3) as field3 values(field4) as field4
values(field6) as field6 values(field7) as field7 values(field8) as field8 by newField
But you can't chart multi-valued fields, which is what you will get if you use the values function.
Well, I guess you can use the chart command, but you can't get an actual chart... so I used the stats command.
What exactly do you want to output?
The stats command works.. but due to one sourcetype has multi instances & the other has 1, they don't lineup.
I ended up doing panels w/ a drill downs that worked exceedingly well. Lisa, I think you usually come to the rescue on my questions & you did again (the answer was right but it got me going to an even better answer) ... as always.. thanks for the assistance.
I'm almost wanting a lookup. 2 sources that I'd like to combine into 1 source really.
so field1 & field5 I want to search (those 2 fields have the same list of items). So if I search field1. I want to find those all those fields in both sourcetypes.
What is the current search that you are using?