Hi, I have two separate searches that are working independently (expected count, actual count). I want to combine the searches to get a percentage for actual count to expected count; however append, appendcols, and other ways to add the searches together have so far not worked for me. Curious if there's a better way to use stats, eval, transaction commands to achieve the combination of these searches. The end goal is to provide a visualization to understand if there's an issue when the actual count does not match the expected count - so open to suggestions on better ways to achieve that goal.
Search 1 (counting all records that are sent through producer class not part of refresh process):
index=index | search ("ProducerClass" AND "*Sending message:*") NOT "*REFRESH*" | stats count as actual_count
Search 2 (sum of record counts on files processed through opportunity class):
index=index | search "OpportunityClass" AND "Processing file: file_name" | rex field=_raw "Processing file: file_name with (?<record_count>[^\s]+) records" | stats sum(record_count) as expected_count
I have tried append like this and it has not worked:
index=index | search ("ProducerClass" AND "*Sending message:*" ) NOT "*REFRESH*"
| stats count as actual_count
| append [
search index=index "OpportunityClass" AND "Processing file: "
| rex field=_raw "Processing file: file_name with (?<record_count>[^\s]+) records"
| stats sum(record_count) as expected_count]
| eval percent =expected_count/actual_count * 100
appendcols similarly did not work ("Aborting Long Running Search"). Assuming I am incorrectly understanding how I am combining these searches and it is causing issues when using append type commands. Using an OR on the searches works, but unsure how to use other commands to group the results properly after:
index=index | search (("ProducerClass" AND "*Sending message:*" ) NOT "*REFRESH*") OR ("OpportunityClass" AND "Processing file: ")
| ...
... View more