Goal: Build a dashboard that reports on the overall status of a product based on the status of the various services that supports that product. In the example below, the FileMoving service and the Filewatcher service mean that the Ingestion of the product is Up. The search is set up uniquely because I want the count to be "0" if the criteria for the search is not met.
Each search works perfectly independent of eachother, but when I attempt to append the one to the other and then sum the values for "status_fcs" and "status_filewatcher", it returns nothing. Is there a way to join two searches and sum values from different fields?
|stats count | eval host="hostname1" | append [search sourcetype=FileMoving] | where host="hostname1" | stats sum(eval(if(isnull(_time),0,1))) as count_fcs by host | eval status_fcs=if(count_fcs>0,1,0)
|append
[|stats count | eval host="hostname2" | append [search sourcetype=PhLogs "Scanning directory for new files"] | where host="hostname2" | stats sum(eval(if(isnull(_time),0,1))) as count_filewatcher by host | eval status_filewatcher=if(count_filewatcher>0,1,0)]
|eval count=statusfilewatcher+status_fcs | table count
... View more