I have used sub earch, while running from search bar its showing correct result as single value. But when put it on Dashboard panel, its showing No result found. I tried to put that query in CDATA as well, but no luck.
index="aa1" sourcetype="adlist" earliest=-8d latest=now
| table ComputerName
| dedup ComputerName
| eval ComputerName = lower(ComputerName)
| join type=inner ComputerName
[ search index="aa1" sourcetype="serverg" earliest=-8d latest=now
| rename Name as "ComputerName"
| eval ComputerName = lower(ComputerName)
| table ComputerName
]
| join type=inner ComputerName
[ search index=bb1 source=DSM sourcetype=hostp earliest=-2d latest=now
| rex field=_raw "Hostname=\"(?P[^.]+)" | rename Hostname as "ComputerName" | eval ComputerName = lower(ComputerName) | table ComputerName, Pattern | join type=left "Pattern" [ search index=bb1 source=DSM sourcetype=hostp earliest=-2d latest=now | table Pattern | dedup Pattern | sort-"Pattern" | streamstats count as row | eval Compliance = case(row=1, "Compliant(N, N-1, N-2)", row=2, "Compliant(N, N-1, N-2)", row=3 , "Compliant(N, N-1, N-2)", row>3 , "Non Compliant") | table "Pattern", Compliance] | table ComputerName, Pattern , Compliance] | table ComputerName, Pattern, Compliance | top limit=10 Compliance | search Compliance="Compliant(N, N-1, N-2)" | fields count
↧