Answering one by one,
1) how would you make a Base search for this issue?
Lets see here the sub-query that is common across all queries will return you raw events, so to create base search i would recommend to table out the fields you would require as the base search is executed once and the results are stored in memory, so it will be better to store only the fields we would require and not all the unnecessary data which might affect the performance. so here after you use lookup to fetch the required values add
.. | table Clientid,date_wday,date_hour,Platform add any other fields you might require and make it a base search and here is how
Add a search with id above in the form <search id=”base_search_id”><query> whatever query we made earlier</query></search>
Now use the base search in your chart by referencing it <search base=”base_search_id”><query> the remaining serach query</query></search>
Example
1st search index=main source=demo_source | table fielda,fieldb| stats count(fielda) by fieldb
2nd search index=main source=demo_source | table fieldc,fieldd | stats count(fieldc) by fieldd
base search will be <search id=”base_search_id”><query>index=main source=demo_source | table fielda,fieldb,fieldc,fieldd </query></search>
chart 1 will have <search base=”base_search_id”><query>stats count(fielda) by fieldb</query></search>
chart 2 will have <search base=”base_search_id”><query>stats count(fieldc) by fieldd</query></search>
2) is the data model & search base query concepts are same?
NO, Data models are used to map the fields_names with a common field name. Like the data might have username, USER, user_name, uname and many other of that sort but we know it all refers to the same username, so the data model allows us to map all these names to a common know or a standard name for a specific field.
please refer here for full details link
P.S. you cannot use the same query after making a data model
and also acceleration is also a feature of data model it creates an accelerated index for the selected data which makes searching faster. You can read about it more here
Suggestion
`case(
sourcetype="PROD_APPLOG",HTTP_USER,
sourcetype="PROD_APPLOG",UserID,
sourcetype="PROD_APPLOG",userId,
sourcetype="PROD_APPLOG",usrLogin,
sourcetype="PROD_APPLOG",http_user,
sourcetype="PROD_APPLOG",user_cookie,
sourcetype="PROD_APPLOG",userID,
sourcetype="PROD1_APPLOG",Http_User,
sourcetype="PROD1_APPLOG",prod_USER,
sourcetype="PROD_WEBLOG",HTTP_USER,
sourcetype="PROD_WEBLOG",user_cookie,
sourcetype="PROD_WEBLOG",userID,
sourcetype=="F5_APPLOG",http_user,
sourcetype=="F5_APPLOG",user_cookie,
sourcetype="ONLINE_ACTIVITYLOG" AND ACTIVITY_CATEGORY=="{signin}",USR_LOGIN,
sourcetype="MOBILE_WEBLOG",HTTP_USER,
sourcetype="MOBILE_APPLOG",user_cookie)
is same as
case(
sourcetype="PROD_APPLOG",HTTP_USER,
sourcetype="PROD1_APPLOG",Http_User,
sourcetype="PROD_WEBLOG",HTTP_USER,
sourcetype=="F5_APPLOG",http_user,
sourcetype="ONLINE_ACTIVITYLOG" AND ACTIVITY_CATEGORY=="{signin}",USR_LOGIN,
sourcetype="MOBILE_WEBLOG",HTTP_USER,
sourcetype="MOBILE_APPLOG",user_cookie)`
as if the condition is matched it doesnt look for the next condition. so if sourcetype="PROD_APPLOG" than userid will always be HTTP_USER and not any other field you mentioned after that. I Hope you got it.
... View more
