I have data coming in from three sources, with three different sets of fields:
Source 1: Filename
Source 2: Filename, Unique_Identifier
Source 3: Unique_Identifier
These sources all work with the same data, and the data flows from Source 1 to Source 2 to Source 3.
I would like to generate a report on data flowing through these three sources, and am trying to run stats to do so, e.g.
search query | stats range(_time) by Unique_Identifier, Filename
But this is only returning data from source 2 where both the Unique_Identifier and Filename fields both exist. Is there a good way to include records from Source 1 and Source 3 as well?
↧