I'm doing a search with a set UNION, like this:
| SET UNION [SEARCH FOO | FIELDS fields IP, count] [ SEARCH BAR | FIELDS fields IP, count]
I can correctly see the list of IP, count but I cannot see nothing on timeline.
I'd like to have a timechart that indicate on X-axis the timeline and on Y-axis the number of events of Search FOO + number of events of Search BAR.
How can I do to obtain this?
You dont need the set command to do this, but I can see why you tried it first.
Just search for this:
( foo OR bar )
and then use eval and eval's 'searchmatch' function to paint a field on each row, denoting whether that row was matched by the 'foo' side or the 'bar side.
Assuming foo and bar are mutually exclusive then it's pretty simple. The following will show a timechart with two counts per time bucket . One count for the 'foo' events, one for the 'count' events.
( foo OR bar ) | eval type=if(searchmatch("foo"),"foo","bar") | timechart dc(remote_host) by type
and if you just want an overall count, this will do it too:
( foo OR bar ) | eval type=if(searchmatch("foo"),"foo","bar") | stats dc(remote_host) by type
If foo and bar are not mutually exclusive you might have to get a little fancier.
And if there is already a field in the data that always has one value for the 'foo' events, and another value for the 'bar' events, just put that fieldname in your 'by' clause and dont bother with the eval at all.
Thank you nick,
the problem is that in "foo" and "bar" we are using a "rename" function.
This is because foo search, without rename function, returns (EG) the following fields:
The bar search (without rename) returns:
We have to count by B in the foo search and by C in bar search, and then filter where count is > of 10.
Something like this:
"(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10"
but whe I use rename on a search that is the put in OR with another, I received a "Error in 'UnifiedSearch': Unable to parse the 'unbalanced parentheses' search." ERROR.
Any idea about how can we do a "(foo | rename B as D) OR (bar | rename C as D) | stats count by D | where count>10" search?