Hi, I have a weird requirement where I want to find out -
If a user as signed into app1, then count them in results. Below is the query which shows signed into app1-
index=test
| search apiKey=XXXXX
| search (event_name=cable.signin.success AND app_version="1.0.1")
BUT if the same user has signed into app1 and then signed into app2 exclude them from results. Below is the query which shows user signed into app2
index=test
| search apiKey=XXXXX
| search (event_name=cable.signin.success AND app_version="1.0.2")
Once that is done I want to dedup the customers (field - uid) and then show the result.
Do i need to make use of sub search or is there a better way to do this? Let me know if someone can help
hi @shashank_24,
Try this:
index=test apiKey=XXXXX event_name=cable.signin.success AND (app_version="1.0.1" OR app_version="1.0.2")
| stats values(app_version) as app_version by uid
| where app_version="1.0.1"
If this reply helps you, an upvote/like would be appreciated.
Hi @manjunathmeti I don't think that is quite right. It gives me the result like this as well -
UID count app_version
123456 | 47 | 1.0.1 1.0.2 |
6453647 | 44 | 1.0.1 1.0.2 |
65373890 | 36 | 1.0.1 1.0.2 |
Basically what i would want is count of users who have logged into app1 and then count of those who login to app1 and then without logging out logs into app2 as well. Final result will be difference of above 2.
Try this:
index=test apiKey=XXXXX event_name=cable.signin.success AND (app_version="1.0.1" OR app_version="1.0.2")
| stats values(app_version) as app_version by uid
| eval app_version=mvjoin(app_version, ",")
| stats count(eval(app_version="1.0.1")) as count1, count(eval(app_version="1.0.1,1.0.2")) as count2
| eval result=count1-count2