I have a search that references CSV sources which are ingested from a UF; let's call these sources foo.csv and bar.csv. The general idea is to create a table which reflects fields from both CSV sources for a given event.
I'm currently using this search...
index=test_metrics sourcetype=metrics_tsr_csv ts_message!="message" source="*Test-Traits\\bar-*.csv" | append [search index=test_metrics sourcetype=metrics_csv source="*Test-Traits\\foo.csv" reason!="reason" testStepParameters="*Test-Traits*"] | rename testCaseName as URL | table URL, status, ts_message
NOTE: The naming of bar.csv is unique to each event (row) collected from foo.csv; for example, the first row of data in foo.csv is related to a file called bar-1.csv, the second row of data in foo.csv relates to bar-2.csv, etc. This is why I'm using the wildcard in the "source" of the second search. Also, there are no common fields shared between the two CSV sources.
Here's what the ensuing table looks like from the search:
URL status ts_message
https://a.com FAIL
https://b.com PASS
https://c.com PASS
https://d.com PASS
https://e.com FAIL
Step 1 [REST Request] FAIL: took 0 ms
Step 1 [REST Request] PASS: took 227 ms
Step 1 [REST Request] PASS: took 172 ms
Step 1 [REST Request] PASS: took 173 ms
Step 1 [Request 1] FAIL: took 238 ms
As you can see, the results from my subsearch (first two columns) are not aligned with the results from my other search (third column). What do I need to adjust in order to have my five events aligned correctly across all three columns?
I appreciate any insight that can be shared!
↧