I have two searches that I wanted to do some filtering before doing multisearch, Is that not possible?
my code looks something like below.
| multisearch
[search index="XXX" | table Field1 Field2]
[search index="YYY" | table Field11 Field22 |dedup Field11 Field22]
|table Field1 Field2 Field11 Field22
For this I am getting error message
Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 2 contains a non-streaming command).
The dedup command is not allowed with multisearch. You'll have to dedup after the multisearch or use append instead of multisearch.
I tried to do the below way, but instead of getting over 600k records, I am getting only around 80k records. My goal is to simply to add two searches and then process the result. Looks like its doing something else.
index="XXX" | table Field1 Field2
|append extendtimerange=true maxtime=60000 maxout=50000000 timeout=60000
[search index="YYY" | table Field11 Field22 |dedup Field11 Field22]
|table Field1 Field2 Field11 Field22
Why don't you just do
index="XXX OR index="YYY"
| fields Field1 Field2 Field11 Field12
| fields - _raw
| dedup Field11 Field22
| table Field1 Field2 Field11 Field22
On the other hand, I don't understand why you "join" two distinct sets of fields and want to put them in one table. That doesn't make much sense.
So far you didn't tell us what you're trying to achieve and from what data, but only what you're doing so we can't help you achieve your desired result if we don't know what it is.
@PickleRick I am already doing what you suggested. My second search has lot of duplicate data. So I was thinking that deduping in advance would speed up overall search. If that is not the case then I will continue doing what you suggested. My end goal is to find max date from second search based on common columns and then display the same with main search. I already got help from this community is its working fine. Thank You.