DON'T GET INTIMIDATED BY THE LENGTH OF THE QUESTION.
I'm getting account numbers from the first three queries. I want to combine all the account numbers (no duplicates) and once I've the combined list of account numbers, I would like to find all fails from the 4th query only for these accounts. Can someone please help me with this scenario?
Query 1.
index=america sourcetype=abc
NOT
[search index=russia actorClient=def flag_restricted=1 OR flag_peeked=1
| stats count by empNo |rename empNo as account_number|table account_number]
| eval is_grace=if(event=="P_GRACE", 1, 0)
| eval is_pass=if(event=="P_PASS", 1, 0)
| eval is_fail=if(event=="P_FAIL", 1, 0)
| stats min(_time) as _time, sum(is_grace) as grace, ,sum(is_pass) as success, sum(is_fail) as fail by account_number, session_id
| table account_number
-----
2.
index=russia actorClient=def
| eval PTO = if('flag_restricted'== 1 , 1, 0)
| eval peeked = if('flag_peeked'== 1, 1, 0)
| stats min(_time) as _time, sum(PTO) as PTO ,sum(peeked) as peeked by empNo | where PTO > 0 OR peeked > 0
| table empNo | rename empNo as account_number
-----
3.
index=america sourcetype=abc
NOT
[search index=asia (TYPE=404 OR TYPE=505 OR TYPE=202 OR TYPE=303 OR TYPE=101)
| stats count by employee_id |rename employee_id as account_number|table account_number | where account_number!=""]
| eval is_grace=if(event=="P_GRACE", 1, 0)
| eval is_pass=if(event=="P_PASS", 1, 0)
| eval is_fail=if(event=="P_FAIL", 1, 0)
| stats min(_time) as _time, sum(is_grace) as grace, ,sum(is_pass) as success, sum(is_fail) as fail by account_number, session_id | where fail > 0 and success = 0
| table account_number
------
Finally once I have all the accounts by combining above three queries, I would like to use those account_numbers in the below query to find total number of fails.
Query 4.
index=america sourcetype=abc
| eval is_grace=if(event=="P_GRACE", 1, 0)
| eval is_pass=if(event=="P_PASS", 1, 0)
| eval is_fail=if(event=="P_FAIL", 1, 0)
| stats min(_time) as _time, sum(is_grace) as grace, ,sum(is_pass) as success, sum(is_fail) as fail by account_number, session_id
| eval all_fails = if(fail > 0 and success = 0, fail, 0)
| timechart span=1h sum(all_fails) as FINAL_NUMBER
↧