My search looks like this:
index=index_name source="Source A.csv" | eval Start2=strptime(Start, "%m/%d/%Y%H:%M") | eval End2=strptime(End, "%m/%d/%Y%H:%M") | map maxsearches=99999 search="search index=index_name earliest=$Start2$ latest=$End2$ source=\"Source B.csv\" | eval Problem2=\""$Problem$\"" | stats values($Problem2$) as Problem3, avg(Data) as Average, min(Data) as Min, max(Data) as Max, stdev(Data) as Stdev" | table Average Min Max Stdev Problem3
Problem is a field in Source A of the form XX003 or X2999, a letter or two, then three or four numbers. I am using the Start and End fields from Source A to look in source B's Data field and calculate stats for each Problem in Source A. I can't seem to get the Problem to pass through the map search. Help!
I have tried eval Problem=$Problem$ (like some other examples)
Problem="$Problem$"
Problem=\"$Problem\"
and the example in the code above. I have a nearly identical search with a numerical field i.e. OtherProblem=2.9 that works great.
Help!
↧