I want to get the result and divide it into three sections as three-column such as last 15 min result, avg of 7 day and avg of one day. I have used below search but somehow I am getting values in only two columns i.e. product and sevenDayAvg. Two other column 'oneDayAvg' and 'quantity1' is coming as blank.
Below is my search:
index="in" daysago=7 "Product" AND "TotalQTY" | rex field=_raw "Product:(?<Product>[0-9]{5,15}),TotalQTY:(?<quantity>[0-9]{1,5})"
| eventstats sum(quantity) as totalsale BY Product |eval sevenDayAvg=totalsale/672 | append [search index=hybris_prod host=dep-prd-db-monitoring daysago=1 "Product" AND "TotalQTY" | rex field=_raw "Product:(?<Product>[0-9]{5,15}),TotalQTY:(?<quantity>[0-9]{1,5})"
| eventstats sum(quantity) as totalsale BY Product |eval oneDayAvg=totalsale/96] | append [search index=hybris_prod host=dep-prd-db-monitoring earliest=-15m@m now() "Product" AND "TotalQTY" | rex field=_raw "Product:(?<Product>[0-9]{5,15}),TotalQTY:(?<quantity1>[0-9]{1,5})" ] | dedup Product | table Product,quantity1,oneDayAvg,sevenDayAvg
Please note all three searches are working fine if I use them individually.
... View more