So I use the following workaround to get over the 100k hurdle with distinct_count(field1)
....| stats count by field1 | stats count
However I need to include other metrics (field2, field3) in the same search. For example
....| stats avg(field2) avg(field3)
How can I compute all the three metrics in one search?
It will make it a bit less efficient but eventstats can make a first pass for you.
Eventstats avg(field2) as f2 avg(field3) as f3 | stats first(f2) as f2 first(f3) as f3 count by field1 | stats count first(f2) as "avg field2" first(f3) as "avg field3"
I believe that limit has been removed as of version 4.2, so I think if you can upgrade, you can get around it easily that way.
View solution in original post