@to4kawa Thank you! It worked.. But I wanted to use the result of the query to change the token using eval. But it's not working. I need to check a specific value of the earliest from the result. If it matches then I need to use the token and assign some other value to it. The token value is not getting effected in the panel. Can you help me on this? <input type="dropdown" token="timepicker" searchWhenChanged="true"> <label>time piker</label> <fieldForLabel>Month</fieldForLabel> <fieldForValue>query</fieldForValue> <search> <query>| inputlookup sample_file | foreach *est [ eval &lt;&lt;FIELD&gt;&gt; = round(strptime(&lt;&lt;FIELD&gt;&gt;,"%m/%d/%Y:%T"))] | eval query="(earliest=".earliest." "."latest=".latest.")" <earliest>0</earliest> <latest></latest> </search> <change> <eval token="abc">if('query.earliest'= 1577817000, (earliest=1577817000 latest=15777903400), (earliest=1577817000 latest=15777903405))</eval> </change> </input> <panel> <html>token value: $timepicker$ $abc$</html> </panel> ... View more

@renjith, No, value of 210491 does not have in tag in the type=First but for id_second=210491 has the value in tag for type=Second. In this case tag should be considered as great since it's not present in the type=First. When the ran the query you provided, I'm not getting the values of tags but it's just displaying values as okay to all the events of tag. index=sai_core sourcetype=firstsecond_log | eval ID=coalesce(id_first,id_second) | stats values(eval(if(type="First",tag,null()))) as _tag1,values(eval(if(type="Second",tag,null()))) as _tag2 by ID | eval tag=if(_tag1!="", _tag1, _tag2) I do not understand where is the value "okay" is coming. There is no word "okay" exists in the event. How can I view the values of _tag1 and _tag2? ID tag 210468 okay 210469 okay 210470 okay 210483 okay 210487 okay 210491 okay ... View more

@tom_frotscher, Please find the events and a bit more description on the requirement. I have got events with two different types, Type=First and type=Second I would like to get the consolidated(with unique tags) from both the types based on the following conditions. If both types have a values of tag then on priority it should consider value of tag from the type=First and ignore the tag value from type=Second even if it has value or not. ii) If tag has no value i.e., "" in type=First and tag of type=Second has tha value then it consider the value from type=Second for the same id of type=First. iii) if both the types has no value in tag. we can ignore this. Note: the values of id_first and id_second has same values but the naming convention is different. time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210468" user="abc" tag="some" time=1544071583425 type="First" version="2.0.5" status="OK" id_first="210469" user="xyz" tag="" time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210470" user="wow" tag="" time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210483" user="rez" time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210487" user="yov" tag="wrong" time=1544071583424 type="First" version="2.0.5" status="OK" id_first="210491" user="boh" tag="" time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210468" user="abc" tag="some" time=1544071583425 type="Second" version="2.0.5" status="OK" id_second="210469" user="xyz" tag="where" time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210470" user="wow" tag="fishy time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210483" user="rez" time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210487" user="yov" tag="wrong" time=1544071583424 type="Second" version="2.0.5" status="OK" id_second="210491" user="boh" tag="great" output: tag id some 210469 where 210469 fishy 210470 wrong 210483 great 210487 ... View more

Update: both types will have a common id. If typeA does not contain the "Success" with id "123", It should consider the value of "Success" from typeB which as same id "123" ... View more

@whrg, That way it won't work because i want the values of the start_time to be used in the by clause. I got it solved without join but looking for an optimal way. index=main | search trainId="somevalue" [ search index=main | search trainId="somevalue" | stats earliest(start_time) as start_time by job | table start_time ] | stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job | eval pct = round((MB/total_cpu)*100, 2) | table start_time pct job ... View more

index=main | search trainId="somevalue" | stats earliest(start_time) as start_time by job Whatever the output that returns by the field start_time from the above search need to be used in the by clause for the below query. index=main | search trainId="somevalue" stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job | eval pct = round((MB/total_cpu)*100, 2) | table start_time pct job ... View more

I tried this query and it's giving me the output what im looking at. But is it possible to get the output without join command? index=main | search trainId="somevalue" | join start_time [ search index=main | search trainId="somevalue" | stats earliest(start_time) as start_time by job | table start_time ] | stats first(cpu) as total_cpu sum(cpu) as MB by start_time, job | eval pct = round((MB/total_cpu)*100, 2) | table start_time pct job ... View more

The total_cpu is the common for all the events. I'm adding another row for job B which is job B 6am I want output to be as below. Job A, 6am, 25 pct_value job B, 6am, 10 pct_value ... View more

@kamlesh_vaghela, Thanks much!! It worked ... View more

@renjith.nair Awesome!! It works like a charm.. Thank you!! Curious to know if it can be attained using join/append command? ... View more