This search (search 1) returns 1 event:
host=psdkxt05 APP=TMA ORG=HPP PRJ=XX* SVC=x1 OR SVC="x2" OR SVC=x3 | JOIN F5I [ search APP=HPP PRJ=XX*] |EVAL MSECTOT=ELT*1000|WHERE MSECTOT>5000|EVAL PS_TIME=ELT-PRT|EVAL MSECTOT=ELT*1000|WHERE MSECTOT>5000|TABLE F5I,LID, PRC, PS_TIME, PRT, STM, ELT, RCD, BRC, SVC, APP|RENAME LID AS TrxID, PRT AS PRC_TIME, ELT AS TOTAL_TIME, STM AS TIMESTAMP
I want to append another search (search 2):
host="psdkxT05*" FMT="IOSTAT*" PRJ=XX* SVC=x1 OR SVC="x2" OR SVC=x3 ORG=OTHER |EVAL MSECTOT=ELT*1000|WHERE MSECTOT>5000|EVAL PS_TIME=ELT-PRT
Search 2 return 0 event (which is correct)
I have then created below search (search 3) which does NOT return any events. I had expected below search to return the 1 event from the search 1.
What have I done wrong?
host=psdkxt05 APP=TMA ORG=HPP PRJ=XX* SVC=x1 OR SVC="x2" OR SVC=x3 | JOIN F5I [ search APP=HPP PRJ=XX*] |EVAL MSECTOT=ELT*1000|WHERE MSECTOT>5000|EVAL PS_TIME=ELT-PRT|APPEND [SEARCH host="psdkxT05*" FMT="IOSTAT*" PRJ=XX* SVC=x1 OR SVC="x2" OR SVC=x3 ORG=OTHER |EVAL MSECTOT=ELT*1000|WHERE MSECTOT>5000|EVAL PS_TIME=ELT-PRT ]|TABLE F5I,LID, PRC, PS_TIME, PRT, STM, ELT, RCD, BRC, SVC, APP|RENAME LID AS TrxID, PRT AS PRC_TIME, ELT AS TOTAL_TIME, STM AS TIMESTAMP
... View more