Hi all, I need to join two table up and do a count of rain. Below is my search query is there anything wrong ? I can't seems to display my count of rain over places.
sourcetype="ltaTraffic" OR sourcetype="CurrentWeatherSGMap" Type="Accident" Location="AYE" OR Location="BKE" OR Location="CTE" OR Location="KJE" OR Location="PIE" OR Location="SLE" OR Location="TPE" OR Location="ECP" earliest=-7d latest=now |
transaction locationaccident maxspan=5s |
bucket span=1h _time |
dedup locationaccident |
fields onexpressway, locationaccident, current_area |
join current_area [search sourcetype="CurrentWeatherSGMap" |
rename Message as current_area | fields current_area current_summary] |
stats list(locationaccident) as Accidents, count(eval(current_summary="Rain" OR current_summary="Thundery Showers" OR current_summary="Showers" OR current_summary="Passing Showers" OR current_summary="Heavy Thundery Showers")) as Rain by onexpressway _time
I have updated the query to this (filter in the subsearch), but it return the exact same count values as the accident count. What is wrong with the query ? I changed it to a timechart.
sourcetype="ltaTraffic" OR sourcetype="CurrentWeatherSGMap" Type="Accident" Location="AYE" OR Location="BKE" OR Location="CTE" OR Location="ECP" OR Location="KJE" OR Location="PIE" OR Location="SLE" OR Location="TPE" earliest=-7d latest=now | transaction locationaccident maxspan=20s | bucket span=1m _time | dedup _time | fields onexpressway, locationaccident, current_area | join current_area [search sourcetype="CurrentWeatherSGMap" current_summary="Rain" OR current_summary="Thundery Showers" OR current_summary="Showers" OR current_summary="Passing Showers" OR current_summary="Heavy Thundery Showers" | rename Message as current_area | fields current_area current_summary] | timechart count(locationaccident) as Accidents, count(current_summary) as Rain by onexpressway
I have tried this outer search but it wont work:
sourcetype="ltaTraffic" Type="Accident" Location="AYE" OR Location="BKE" OR Location="CTE" OR Location="ECP" OR Location="KJE" OR Location="PIE" OR Location="SLE" OR Location="TPE" earliest=-7d latest=now | transaction locationaccident maxspan=20s | bucket span=1h _time | dedup locationaccident | fields onexpressway, locationaccident, current_area | join type=outer current_area [search sourcetype="CurrentWeatherSGMap" current_summary="Rain" OR current_summary="Thundery Showers" OR current_summary="Showers" OR current_summary="Passing Showers" OR current_summary="Heavy Thundery Showers" | rename Message as current_area | fields current_area current_summary] | timechart span=1d count(locationaccident) as Accidents, list(current_summary) as Rain by onexpressway
