I've tried using SET operator to find all the users who satisfy first condition but are not present in second search with different condition...below is an example query..
given set operator's limit of 10k records, I'm trying to find the best way to implement SET operations especially DIFF
Any pointers would be great
thanks, ronak
| set diff [search index=mobile Action_Name=Page_View OS="*" (app_usage_location=*Stadium* OR app_usage_location=*Park* OR app_usage_location=*Unkno*) | fields user_id] [ search index=mobile Action_Name=Page_View OS="*" NOT(app_usage_location=*Stadium* OR app_usage_location=*Park* OR app_usage_location=*Unkno*) |fields user_id] | stats dc(user_id)
Try this
index=mobile Action_Name=Page_View OS="*" | eval temp=if(like(app_usage_location,"%Stadium%") OR like(app_usage_location,"%Park%" OR like(app_usage_location,"%Unkno%"),1,2) | stats values(temp) as temp by user_id | where mvcount(temp)=1 | fields user_id