Skip to main content

When I'm using a search query like this:

[5 event_id=1234 having same user] 

I'm getting a grouped result with only log_ts and user as normalized fields for this group.

Is it possible to get more fields similar to SQL with the

select FIELDS where CONDITION

At the moment I'm "workarounding" this with joining the first search with another search. But this seems to be extremly inefficient because it uses the analyzer process which itself relies on slow leveldb operations:

>5 event_id=1234 having same user] as s1 join  event_id=1234] as s2 on s1.user = s2.user

Is there a better solution?

The problem with 'having same' is, that the search result only contains the fields specified in the 'having same' clause. But in this special case the 'service' field should be different, not the same. So specifying it in a comma separate list (like '...having same user,service...') doesn't help here.

It would be great to access all the other fields in a following 'chart count()' etc.

Hi Markus,

How about the query like below:
event_id=1234 | chart count() as cnt, distinct_list(service) as services, distinct_list(domain) as domains by user | search cnt>5

Let us know if that helps.


Reply