I'm trying to use Multisearch to combine the results of two commands. My search is:
| multisearch [ search index=... sourcetype=access_combined method != OPTIONS user=khevans host=... uri_path != "/" earliest=1561994601 latest=1561994640 | join uri type=left [ search index=... sourcetype=access_combined status = 200 method != OPTIONS user=khevans | fields referer referer_domain | dedup referer | eval uri = ifnull(substr(referer, len(referer_domain) + 1), uri) | eval is_nav_out = 1 ] | where isnull(is_nav_out) | eval ref_uri = ifnull(substr(referer, len(referer_domain) + 1), start_uri) | where ref_uri="..." | eval type = "Web"] [ search eventtype=... host=... api_uri != ... earliest=1561994601 latest=1561994640 | where api_user == "khevans" OR isnull(api_user) | eval uri_path = api_uri . IFNULL("?" . api_uri_query, ""), user = IFNULL(api_user, "?"), type = "API" ]
I am getting this error:
Error in 'multisearch' command: Multisearch subsearches may only contain purely streaming operations (subsearch 1 contains a non-streaming command.)
According to the list of streaming commands, all of these are streaming. Additionally, when I run each search query independently, and press inspect job, both
eventIsStreaming = true and
resultIsStreaming = true. Why can't I run this
To add: it seems that the left join is causing the problem, so I guess I can refactor it to not use the join. But I'm still confused as to why the Job Inspector and documentation states that it is streaming.