Good day,
As mentioned in the subject, I want to retrieve results from 2 searches, both containing JOIN. The purpose of this is to join search results on different time ranges (i.e. now, and 1 day ago). I used multisearch. However, I am getting this error:
Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command).
I also/already tried append, but I am not getting the results of the 2nd main search, just the first one. (i.e. count_ago has values, but count_now). I placed the | append in between the 2 main searches
To, hopefully, be clearer, here's my actual search using multisearch with comments:
| multisearch
`comment("1st main search")`
[ search
index="<index>" earliest=-0d@d latest=now
| rename <join_field> as tmp
| join tmp
[ search
index=<other_index>
| table <ret_id>
]
| where <ret_id>=<some_value>
| eval key="now"
| stats list(<vals>) as <vals>
| eventstats count(<vals>) as count_vals by <group_name>
| sort -count_vals | head 20
| eval count_now=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals))
]
`comment("2nd main search")`
[ search
index="<index>" earliest=-1d@d latest=-0d@d
| rename <join_field> as tmp
| join tmp
[ search
index=<other_index>
| table <ret_id>
]
| where <ret_id>=<some_value>
| eval key="ago"
| stats list(<vals>) as <vals>
| eventstats count(<vals>) as count_vals by <group_name>
| sort -count_vals | head 20
| eval count_ago=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals))
]
| fields <group_name>, count_now, count_ago
This is my code for using append:
`comment("1st main search")`
index="<index>" earliest=-0d@d latest=now
| rename <join_field> as tmp
| join tmp
[ search
index=<other_index>
| table <ret_id>
]
| where <ret_id>=<some_value>
| eval key="now"
| stats list(<vals>) as <vals>
| eventstats count(<vals>) as count_vals by <group_name>
| sort -count_vals | head 20
| eval count_now=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals))
| append
`comment("2nd main search")`
[ search
index="<index>" earliest=-1d@d latest=-0d@d
| rename <join_field> as tmp
| join tmp
[ search
index=<other_index>
| table <ret_id>
]
| where <ret_id>=<some_value>
| eval key="ago"
| stats list(<vals>) as <vals>
| eventstats count(<vals>) as count_vals by <group_name>
| sort -count_vals | head 20
| eval count_ago=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals))
| fields <group_name>, count_now, count_ago
Anybody have ideas on how to do this correctly? Thanks a lot in advance!
Given that your searches appear to only be different by the day they cover, could you not use the date to separate the two sets, e.g. bin _time span=1d and stats by _time?