The below search is intended to get status codes from two different sources and put them together in a table. It works except that it keeps codes separate if they come from different searches. In the table at the bottom, I want only one row for 504, with entries for both searches and the sum (=5).
| multisearch
[search index=ABC status.code>399 | rename status.code as StatusCode
| eval type="search1"]
[search index=DEF data.status>399 | rename data.status as StatusCode
| eval type="search2"]
| chart count over StatusCode by type
| eval sum = search1+search2
StatusCode search1 search2 sum
1 | 400 | 17 | 0 | 17 |
2 | 406 | 10 | 0 | 10 |
3 | 500 | 647 | 0 | 647 |
4 | 504 | 0 | 1 | 1 |
5 | 504 | 4 | 0 | 4 |
6 | 530 | 8 | 0 | 8 |
Do you have to use multisearch here? This simple search seems to accomplish what you desired:
index IN (ABC, DEF) status.code>399
| eval StatusCode = COALESCE(status.code, data.status)
| chart count over StatusCode by index
| addtotals
The multisearch command will run more than one search at the same time, but as you've discovered, does nothing special with the results. That's up to you.
| multisearch
[search index=ABC status.code>399 | rename status.code as StatusCode
| eval type="search1"]
[search index=DEF data.status>399 | rename data.status as StatusCode
| eval type="search2"]
| chart count over StatusCode by type
| eval sum = search1+search2
| stats sum(search1) as search1, sum(search2) as search2, sum(sum) as sum by StatusCode
Then I guess my question would be, how do I get those duplicate rows to combine so I get a single sum for each distinct code?
Did the code in my answer not do that?
No, it produces the same results, with two rows for the 504 code
Hmm... I can't test with your query since I don't have your data, but my mock-up works. Do you have a run-anywhere test case? Here's mine:
| makeresults | eval _raw="StatusCode search1 search2
400 17 0
406 10 0
500 647 0
504 0 1
504 4 0
530 8 0"
| multikv forceheader=1
| eval sum = search1+search2
| stats sum(search1) as search1, sum(search2) as search2, sum(sum) as sum by StatusCode
Yep your test case works for me also. I wondered if it isn't some kind of type mismatch. The second search uses regex while the first is just a normal search. The second search is more like the below. Though both use StatusCode>399 so the search is treating them as numbers.
[search index=DEF
| rex "message[/]*(?<StatusCode>[^,]*)"
|search StatusCode>399
| eval type="search2"]