I can use the following search to get 1 day worth of data, but anything longer causes the subsearch to hit its limit. Please Help
index=x_default sourcetype="x.alarm.y.norm" device_type=term description="EQUIP is Inactive" OR description="EQUIP LOS" OR description="EQUIP is inactive"
| eval event_time= strptime(trigger_time, "%Y-%m-%d %H:%M:%S")
| convert timeformat="%Y-%m-%d" ctime(event_time) AS event_date
| join type=inner equip_serial_number event_date [ search index=sperf_default sourcetype=common.ticket.opened.norm report_type=TR
| eval report_time= strptime(reported_date, "%m/%d/%Y %H:%M:%S")
| convert timeformat="%Y-%m-%d" ctime(report_time) AS event_date]
| chart dc(equip_serial_number) dc(report_num) BY event_date
Thank you in advance for your help
↧