Good day, As mentioned in the subject, I want to retrieve results from 2 searches, both containing JOIN. The purpose of this is to join search results on different time ranges (i.e. now, and 1 day ago). I used multisearch. However, I am getting this error: Error in 'multisearch' command: Multisearch subsearches might only contain purely streaming operations (subsearch 1 contains a non-streaming command). I also/already tried append, but I am not getting the results of the 2nd main search, just the first one. (i.e. count_ago has values, but count_now). I placed the | append in between the 2 main searches To, hopefully, be clearer, here's my actual search using multisearch with comments: | multisearch
`comment("1st main search")`
[ search
index="<index>" earliest=-0d@d latest=now
| rename <join_field> as tmp
| join tmp
[ search
index=<other_index>
| table <ret_id>
]
| where <ret_id>=<some_value>
| eval key="now"
| stats list(<vals>) as <vals>
| eventstats count(<vals>) as count_vals by <group_name>
| sort -count_vals | head 20
| eval count_now=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals))
]
`comment("2nd main search")`
[ search
index="<index>" earliest=-1d@d latest=-0d@d
| rename <join_field> as tmp
| join tmp
[ search
index=<other_index>
| table <ret_id>
]
| where <ret_id>=<some_value>
| eval key="ago"
| stats list(<vals>) as <vals>
| eventstats count(<vals>) as count_vals by <group_name>
| sort -count_vals | head 20
| eval count_ago=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals))
]
| fields <group_name>, count_now, count_ago This is my code for using append: `comment("1st main search")`
index="<index>" earliest=-0d@d latest=now
| rename <join_field> as tmp
| join tmp
[ search
index=<other_index>
| table <ret_id>
]
| where <ret_id>=<some_value>
| eval key="now"
| stats list(<vals>) as <vals>
| eventstats count(<vals>) as count_vals by <group_name>
| sort -count_vals | head 20
| eval count_now=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals))
| append
`comment("2nd main search")`
[ search
index="<index>" earliest=-1d@d latest=-0d@d
| rename <join_field> as tmp
| join tmp
[ search
index=<other_index>
| table <ret_id>
]
| where <ret_id>=<some_value>
| eval key="ago"
| stats list(<vals>) as <vals>
| eventstats count(<vals>) as count_vals by <group_name>
| sort -count_vals | head 20
| eval count_ago=mvmap(count_vals, if(((count_vsls=="") or (isnull(count_vals))), 0, count_vals))
| fields <group_name>, count_now, count_ago Anybody have ideas on how to do this correctly? Thanks a lot in advance!
... View more