i have initial query with one index name(index1) which show F10N F10W F11 etc values in one chart but for F6 value comes from different index (index2) . how should i combine that F6 value into one chart.
index1 : MicronSite IN($input_site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?<AvgTotalTrackoutTime>\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h by MicronSite
index2 : MicronSite=F6 index=mfg source=command_times area_id=Fabwide command_name IN (SigmaRunComplete,MESLotTrackOut)
| timechart partial=f span=12h aligntime=@d+7h avg(avg) by command_name
| addtotals fieldname=AvgTotalTrackoutTime
Try something like this
index1 : MicronSite IN($input_site$) index=mtparam sourcetype=CommandTimesByArea | rex field=_raw "Fabwide:AvgTotalTrackoutTime\s+(?<AvgTotalTrackoutTime>\d+)" | timechart span=12h avg(AvgTotalTrackoutTime) aligntime=@d+7h by MicronSite
| join type=left _time [
search index2 : MicronSite=F6 index=mfg source=command_times area_id=Fabwide command_name IN (SigmaRunComplete,MESLotTrackOut)
| timechart partial=f span=12h aligntime=@d+7h avg(avg) by command_name
| addtotals fieldname=AvgTotalTrackoutTime
]
when i run the query , it shows below like this. how should i remove that two column from chart?
| fields - MESLofTrackOut SignalRunComplete