Hello,
I have ~15 the same queries with a little difference:
(index=SOME_INDEX sourcetype=SOME_SOURCE source=...
| eval API=CASE(searchmatch("xxx"), "yyy", ...)
| search API=WebResponse
| eval Status=case(...)
| stats avg(dur) AS Avg by status_code
| stats count by status_code
...
(index=SOME_INDEX sourcetype=SOME_SOURCE source=...
| eval API=CASE(searchmatch("xxx"), "yyy", ...)
| search API=AppResponse
| eval Status=case(...)
| stats avg(dur) AS Avg by status_code
| stats count by status_code
So, all my queries are different only in one place - `| search API=XXX` and return result like:
| status_code | count |
| 201 | 10 |
| 404 | 28 |
etc
How I can combine all above queries into one and get result as (or something like this):
| status_code | count(AppResponse) | count(WebResponse) | count(Other) |
| 201 | 10 | 0 | 0 |
| 404 | 28 | 3 | 0 |
?
↧