Hi,
I have a query with 5 joins but I am sure that this can be reduced to just one join. I cant figure out the syntax for doing so though. Need something like the following but I know this kind of syntax is not valid.
if(payload.type="Foo", stats count as foocnt by txnid)
Query -
index="event" eventType="A"
| eval diff = $$payload.endVal$$ - $$payload.beginVal$$
| search diff=$someval$
| eval txnid = $$payload.ID$$
| join type=left txnid [search index="event" eventType="B" payload.type="Foo"
| eval txnid = $$payload.ID$$
| stats count as foocnt by txnid]
| join type=left txnid [search index="app_event" eventType="B" payload.type="Bar"
| eval txnid = $$payload.ID$$
| stats count as barcnt by txnid]
| join type=left txnid [search index="app_event" eventType="B" payload.type="Hello"
| eval txnid = $$payload.ID$$
| stats count as hlcnt by txnid]
| join type=left txnid [search index="app_event"eventType="B" payload.type="World"
| eval txnid = $$payload.ID$$
| stats count as wcnt by txnid]
| join type=left txnid [search index="app_event" eventType="B" payload.type="Other"
| eval txnid = $$payload.ID$$
| stats count as othercnt by txnid]
| table txnid, foocnt, barcnt, hlcnt, wcnt, othercnt
Can someone please help me merge these joins to just one join, or perhaps let me know if there is a better way to go about this whole query.
Thanks.
