I have a "Severity Level" field in both index A and index B. Their structure is like: ==index A===
Severity Level
1
2
3
4
===index B===
Severity Level
critical
high
medium
low Now I want to combine the two indexes in a search and display the Severity Level using | timechart count by "Severity Level" where the combined "Severity Level" values only contain 1,2,3,4 So, I need an eval = case() to map them. My syntax for for that is eval "Severity Level" = case('Severity Level' == "critical", 1 ,'Severity Level' == "high", 2, 'Severity Level' == "medium", 3, 'Severity Level' == "low", 4, 'Severity Level' == 1, 1, 'Severity Level' == 2, 2, 'Severity Level' == 3, 3, 'Severity Level' == 4, 4, 1=1, null) By this, the result gives incorrect result, i.e., only showing incorrect counts on 4. I think the problem is in the single and double quote, but I am not sure which is which. It is a bit urgent so I need help. Thanks.
... View more