I have two sourcetypes, TICKET_OPENED & TICKET_ACTIVITY, both of which have a common field TICKET_NUMBER. I am able to narrow my search on sourcetype TICKET_OPENED using the following:
index xyz sourcetype=TICKET_OPENED PRODUCT_TYPE=A GROUP=B
A specific TICKET_NUMBER from sourcetype =TICKET_OPENED can have multiple activity logs in sourcetype=TICKET_ACTIVITY. How can I get the number of activity logs of a TICKET_NUMBER on sourcetype=TICKET_ACTIVITY? Please note that TICKET_ACTIVITY does not have the fields PRODUCT_TYPE & GROUP.
↧