Question

More Fields in Stream Search with "having same"?

2 years ago
1 July 2021
1 reply
131 views

Userlevel 4

+8

markus.nebel@8com.de
Brainy
56 replies

When I'm using a search query like this:

[5 event_id=1234 having same user]

I'm getting a grouped result with only log_ts and user as normalized fields for this group.

Is it possible to get more fields similar to SQL with the

select FIELDS where CONDITION

At the moment I'm "workarounding" this with joining the first search with another search. But this seems to be extremly inefficient because it uses the analyzer process which itself relies on slow leveldb operations:

[5 event_id=1234 having same user] as s1 join [event_id=1234] as s2 on s1.user = s2.user

Is there a better solution?

The problem with 'having same' is, that the search result only contains the fields specified in the 'having same' clause. But in this special case the 'service' field should be different, not the same. So specifying it in a comma separate list (like '...having same user,service...') doesn't help here.

It would be great to access all the other fields in a following 'chart count()' etc.

1 reply

Userlevel 3

+7

Basudev Raut
LogPoint Team
17 replies
2 years ago
8 July 2021

Hi Markus,

How about the query like below:
event_id=1234 | chart count() as cnt, distinct_list(service) as services, distinct_list(domain) as domains by user | search cnt>5

Let us know if that helps.

Reply

Sign up

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Login to the community

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Scanning file for viruses.

This file cannot be downloaded