I am trying to get data from 2 indexes and combine them via appendcols.
The search is
index="anon" sourcetype="test1" localDn=*aaa*
| fillnull release_resp_succ update_resp_succ release_req update_req n40_msg_written_to_disk create_req value=0
| eval Number_of_expected_CDRs = release_req+update_req
| eval Succ_CDRs=release_resp_succ+update_resp_succ
| eval Missing_CDRs=Number_of_expected_CDRs-Succ_CDRs-n40_msg_written_to_disk
| timechart span=1h sum(Number_of_expected_CDRs) as Expected_CDRs sum(Succ_CDRs) as Successful_CDRs sum(Missing_CDRs) as Missing_CDRs sum(n40_msg_written_to_disk) as Written sum(create_req) as Create_Request
| eval Missed_CDRs_%=round((Missing_CDRs/Expected_CDRs)*100,2)
| eval Missed_CDRs_%=round((Missing_CDRs/Expected_CDRs)*100,2)
| table *
| appendcols [| search index=summary source="abc1" OR source="abc2"
| timechart span=1h sum(xyz) as Counter
| table Counter]
But, I am getting output from just the first search. The appendcols search is just not giving the Counter field in the output.
There doesn't appear to be anything wrong with the search as you have presented it - are you certain you have results from the subsearch
index=summary source="abc1" OR source="abc2"
| timechart span=1h sum(xyz) as Counter
| table Counter
Yes, I have results from both the subsearches. But, still I don't see Counter in the results which is weird.
Subsearches are limited to 50,000 events - could this be the reason your subsearch is not showing any results?
Have you tried a shorter timeframe, or tried fragmenting your subsearch in some way, e.g. splitting by source?
The results have less than 10000 events in both the subsearches.
I have off of my system now, but I will try multisearch tomorrow. Let's see if it works.
It is not the number of results that matter, it is the number of events returned by the first part of the search that you need to check
index=summary source="abc1" OR source="abc2"