I want five keywords to search in 3 indexes named "one" , "two" , "three"
I want my output like :
keyword "one" "two" "three"
mumbai 5 3 2
kolkata 2 2 1
chennai 0 6 4
all the numeric fields are the no. of occurance of keyword in each index ( one, two and three)
Now, I am able to generate for "one" index , but If I run the same query for three index separately then 3 reports would be generated,but I want to create only one report , is there any way to search the same query for more than one index at a same time so that i can have above output
I'm not sure if this is what you are looking for, but you could use the contingency keyword
sourcetype=foo | contingency keyword, index
It should output something like:
keyword one two three four TOTAL
Mumbai count count count count total_count
chennai count count count count total_count
I have one index created called "one" and m running my search on this index and I am getting the output as :
for another index "two", my output would be
So, I have two separate report with me..But instead of creating two reports I want to create only one report which would contain
keyword "one" "two"
mumbai 5 3
kolkata 2 2
chennai 6 4
I want this output..Please help !!
Hope you understood my requirement
By using the contingency command as mentioned earlier. You're entire search would be
sourcetype=foo index=one OR index=two OR index=three|contingency keyword index