First, I think what you’re looking for is the value of site to match request_type (in the initial multisearch search line) – but what you’re actually checking for in the where clause is whether the text "site" equals the text "request_type". And, of course, that is not the case!
Start by removing the second line of the multisearch (since comparing site to site will always be true), and using upper() and match():
index=cloud_aws namespace=cloudship lambda=SCScloudshipStepFunctionStats metric_type=*_v0.3
| spath input=message
| multisearch
[search request_type="*" site=*
| eval request_type=upper(request_type), site=upper(site)
| where "site" == "request_type" ]
[search request_type="*" site="RTP" zone="*"
| eval zone=upper(zone), site=upper(site)
| where match(site,zone)]
[search scope=site request_type="*" site="RTP" zone="*" cluster="*"
it would be even easier to do cluster="rtp" instead of cluster=* here, but I’ve left the idiom of upper()ing and match()ing for reading consistency
| where match(site,cluster)]
| timechart cont=FALSE span=hour sum(success) by request_type
from User warren – Stack Overflow https://stackoverflow.com/questions/71527141/multisearch-not-doing-what-i-expect/71529474#71529474
via IFTTT