Scenario: I need to get a single dashboard out of 3 different sourcetype by passing a unique ID using the form view. I used the 3 queries and pulled the data to the user defined index - newindex and how do i get the data in a single value by passing the unique id. index=userindex Source=find_node_1 returns data as given below : time_stamp mid sid 2012-06-25 14:52:39 123456789 3924110063741806337 2012-06-25 14:54:58 782345678 623458620530373121 2012-06-25 12:21:56 663236789 4189485991196251138 index=userindex Source=find_node_2 returns data as given below : vcs vcsSId csId abc.occ analfnafafja-afafa-afafa 3924110063741806337 bac.occ baclfnafafja-afafa-afafa 623458620530373121 cac.occ cadlfnafafja-afafa-afafa 4189485991196251138 index=userindex Source=find_node_3 returns data as given below : confid mcrconf host ============================================================= analfnafafja-afafa-afafa nafafja-afafa-afafa host1 baclfnafafja-afafa-afafa nafafja-cabab-atedd host2 cadlfnafafja-afafa-afafa nafafja-lalab-bcdef host3 The mapping from 1 and 2 : sid=vcsSId The mapping from 2 and 3 : vcsSId=confid Problem statement : I want to get a single view of the all the above 3 with unique value by passing the "mid" dynamically using the form view. I tried joins as given below and it fetches empty results. index=userindex source=find_node_1 | fields time_stamp mid sid | join sid [ search source=find_node_2 | fields VCS vcsSId csId] | join vcsSId [search source=find_node_3 | fields confid mcrconf host] | table mid time_stamp sid confid mcrconf host Please let me know if i am missing something help me on how would i combine to get a single view in a query. ... View more

I have a new problem now when i try to filter the search with a fieldname value and both the search has different name. Query-1 has the field name as "SessionType" and Query-2 has the field name as "Product" and i am trying to filter the search by having Product="meeting" and i am not getting the complete result set. When i try and query as given below, i see the expected result : sourcetype="broker" host="g2m*" (createUpdateAttendeeResource OR Participant_System_Information) | rename OSType as OS | eval OS = if(OS=="" or isnull(OS),ClientName,OS) | rename Product as Producttype | eval ProductType = if(ProductType=="" or isnull(ProductType),Sessiontype,ProductType) | top limit=4 OS OS count percent Windows 16530 86.580767 MacOSX 2250 11.785041 iOS 234 1.225644 android 78 0.408548 But when i use the filter - "SessionType="meeting" i just get only one result set : sourcetype="broker" host="g2m*" (createUpdateAttendeeResource OR Participant_System_Information) | rename OSType as OS | eval OS = if(OS=="" or isnull(OS),ClientName,OS) | rename Product as Producttype | eval ProductType = if(ProductType=="" or isnull(ProductType),Sessiontype,ProductType) | search SessionType="meeting" | top limit=4 OS OS count percent Windows 11677 86.656772 2MacOSX 1615 11.985158 iOS 183 1.358071 I am not sure why the second query result set is not give - where i need the count for "android" as i got from the step-1. Please help. ... View more

how to join 2 different searches in a single index with different fileds and mapping them to the common field, please help : My Problem Statement : I have a string string "Participant_System_Information" on the index = broker and i want to get the count and percentage of OSType and i use the below query and i get the result. sourcetype="broker" host="g2m*" Participant_System_Information| top OSType Result : OSType count percent Windows 45741 90.932766 MacOSX 4176 8.301857 iOS 385 0.765377 I have a string string "createUpdateAttendeeResource" on the index = broker and i want to get the count and percentage of ClientName as i don't have the OSTYpe Filed and i get the result. sourcetype="broker" host="g2m*" createUpdateAttendeeResource| top ClientName ClientName count percent android 193 100.000000 Now i want to combine the above 2 quries and get the combined result of OSType and i used the below query and i am not getting the accurate count : sourcetype="broker" host="g2m*" (createUpdateAttendeeResource OR Participant_System_Information)|rename OSType as OS| rename ClientName as OS| top OS OS count percent Windows 483 67.458101 android 177 24.720670 MacOSX 56 7.821229 I think for some reason "rename" is not working as expected when combing the query, please help. ... View more