Solved: Compare Two Different Fields in a Multisearch

dsitek · ‎07-24-2019

I am trying to obtain a list of ids for orders that were abandoned/forgotten and never received a submit. I have a multisearch that finds a list of all ids when they are created and another search that finds the ids when they are submitted. I would like to find all of the values that appear only in the first list. Is there a command to do this without comparing two lookups? Here is my search:
| multisearch [ search create call" | extract id ] [ search submit call | extract id ] | table created_cart_id submitted_cart_id

dsitek · ‎07-24-2019

I just posted this but the most obvious solution hit me in the face. After the table command, rename both fields to be the same, count them, and select only ones that appear once.
rename created_cart_id AS cart_id, submitted_cart_idea AS cart_id | stats count by cart_id | where count=1

View solution in original post

dsitek · ‎07-24-2019

I just posted this but the most obvious solution hit me in the face. After the table command, rename both fields to be the same, count them, and select only ones that appear once.
rename created_cart_id AS cart_id, submitted_cart_idea AS cart_id | stats count by cart_id | where count=1

Compare Two Different Fields in a Multisearch

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation

Compare Two Different Fields in a Multisearch

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+