I'm trying to save the following search as a single value dashboard panel (from a report): activity_type=40 direct_object_type=102 | dedup direct_dw_object_id sortby -activity_ts | where ![...] | ... | stats distinct_count(object_id) When I run this in search or as a report I get what I believe to be an accurate result (446). However, when I try to convert it from a report to a dashboard panel it returns 81, which I'm sure is incorrect. The time range for all three of these formats (search, report, and dashboard panel) is set to All time, so I don't think it has anything to do with that. Any idea what could be causing this? ... View more

I'm trying to filter the results of a search based on the results of a (pretty complex) subsearch using the where command. Here is what my search looks like right now (spacing and line breaks added for clarity): ... | where [search ... | where [search ... | fields title] AND ![search ... | fields object_id] AND ![search ... | fields object_id] | fields title] | ... When I run this, I keep getting the following error: Error in 'where' command: The expression is malformed. An unexpected character is reached at ')'. When I run the contents of the first (outermost) where command, like this: ... | where [search ... | fields title] AND ![search ... | fields object_id] AND ![search ... | fields object_id] | fields title Everything runs perfectly fine, and I get the results I expect. Is something wrong with my syntax? Is there a problem with having too many nested where commands? title is a field in the main search, so I assumed I could just use where to filter out all titles that weren't found by my subsearch (i.e. where title="title1" OR title="title2"...). The error seems to be occurring at the very end of the outermost where , because when I add extraneous characters (like "asdf") to the end of the entire search I get this: Error in 'where' command: The expression is malformed. An unexpected character is reached at ') asdf'. Sorry if this isn't enough information to help. I can say that this search was working perfectly about a week ago, but when I re-indexed the data to account for new information, it started giving me this error. I've broken down the search into each individual subsearch and everything works fine, but when I try to put it all together into one big search it just won't work. Any help would be greatly appreciated ... View more

I'm trying to add a field to my main search based on the values retrieved from a subsearch. More specifically, my main search finds all questions posted on my company's community website, and the subsearch finds all responses to questions. I'm trying to match each question (found from the main search) with its first response (found by sorting the responses by time and dedup'ing the subsearch based on a thread ID). However, this doesn't seem to be working properly. Here is my search: ... | join thread_object_id [search ... | dedup thread_object_id sortby +activity_ts | eval first_comment_ts=activity_ts | fields thread_object_id first_comment_ts] When I run this search, it pairs events from my main search with timestamps for the wrong comments (the first_comment_ts is incorrect), as if the dedup thread_object_id sortby +activity_ts didn't sort it properly. In fact, it matches each thread_object_id with the first_comment_ts of the 2nd comment instead of the 1st. When I run the subsearch on its own, everything looks fine. It only displays events that correspond to the first comment of each thread (first appearance of each thread_object_id when sorted by activity_ts , which is exactly what I want. Here's an example event for a bit more clarification. Subsearch result: Main search result (after being joined with the subsearch): Any ideas why the join command would be causing these inconsistencies? Or is there any way I could do this more efficiently, perhaps without using join ? I'm sort of at a loss here. Thanks. ... View more