I am using :join" query to show one table with different columns from different sourcetypes. However some of the sourcetypes does not contain the field which I am using for join. In this case I found the table does not get displayed for all. I want atleast the sourcetype which have that field, should display the data and other which dont have data should display "0" there.
e.g. sourcetype="ABC" K1 id!="null" | stats dc(id) as totalin BY FIELD1 |
join FIELD1[
sourcetype="DEF" K2 id!="null" | stats dc(id) as totalout BY FIELD1] |
join FIELD1[
sourcetype="KLM" K3 id!="null" | stats dc(id) as totallost BY FIELD1] |
join FIELD1[
sourcetype="XYZ" K4 id!="null" | stats dc(id) as totalrec BY FIELD1] |
table FIELD1, totalin, totalout, totallost, totalrec
Here sourcetype="KLM" does not have "id" field in the available test data and sourcetype="XYZ" does not have "field1" in the available test data.
But I want a single table which should have all these values irrespective of 0 data.
Can anyone please help me out of this?
... View more