Query1:
index=test-index "ERROR" Code=OPT OR Code=ONP |bin _time span=1d |stats count as TOATL_ONIP1 by Code _time.
Query2:
index=test-index "WARN" "User had issues with code" Code=OPT OR Code=ONP
|...
See more...
Query1:
index=test-index "ERROR" Code=OPT OR Code=ONP |bin _time span=1d |stats count as TOATL_ONIP1 by Code _time.
Query2:
index=test-index "WARN" "User had issues with code" Code=OPT OR Code=ONP
|search code_ip IN(1001, 1002, 1003, 1004)
|bin _time span=1d
|stats count as TOATL_ONIP2 by Code _time.
Query3:
index=test-index "INFO" "POST" NOT "GET /authenticate/mmt"
|search code_data IN(iias, iklm, oilk)
|bin _time span=1d
|stats count as TOATL_ONI3 by Code _time.
Combined query:
index=test-index "ERROR" Code=OPT OR Code=ONP |bin _time span=1d |stats count as TOATL_ONIP1 by Code _time
|appendcols
[|search index=test-index "WARN" "User had issues with code" Code=OPT OR Code=ONP
|search code_ip IN(1001, 1002, 1003, 1004)
|bin _time span=1d
|stats count as TOATL_ONIP2 by Code _time]
|appendcols
[|search index=test-index "INFO" "POST" NOT "GET /authenticate/mmt" Code=OPT OR Code=ONP
|search code_data IN(iias, iklm, oilk)
|bin _time span=1d
|stats count as TOATL_ONI3 by Code _time]
|eval Start_Date=srftime(_time, "%Y-%m-%d")
|table Start_Date Code TOATL_ONIP1 TOATL_ONIP2 TOATL_ONIP3 Output for individual query1: Start_Date Code TOTAL_ONIP1 2025-04-01 OPT 2 2025-04-02 OPT 4 2025-04-03 OPT 0 2025-04-01 ONP 1 2025-04-02 ONP 2 2025-04-03 ONP 3 Output for individual query2: Start_Date Code TOTAL_ONIP2 2025-04-01 OPT 0 2025-04-02 OPT 0 2025-04-03 OPT 0 2025-04-01 ONP 4 2025-04-02 ONP 2 2025-04-03 ONP 3 Output for individual query3: Start_Date Code TOTAL_ONIP3 2025-04-01 OPT 0 2025-04-02 OPT 0 2025-04-03 OPT 9 2025-04-01 ONP 0 2025-04-02 ONP 6 2025-04-03 ONP 8 Combined query output: Start_Date Code TOTAL_ONIP1 TOTAL_ONIP2 TOTAL_ONIP3 2025-04-01 OPT 2 4 9 2025-04-02 OPT 4 2 6 2025-04-03 OPT 1 3 8 2025-04-01 ONP 2 2025-04-02 ONP 3 2025-04-03 ONP When we combine the query the count is not matching with the individual queries. For example: on April1st for ONP for TOTAL_ONIP2 is 4 but in combined one it is showing null, and 4 value updated in OPT april 1st