Where am i going wrong here:
I'm trying to get a list of user ID's by location and pass them up to a search which also uses the userID field and then get the average UIdelay metric of those users which only appears in the UIDelay sourcetype?
Is this the most efficient way when the result set of the subsearch is around 1k ?
'index=test sourcetype=UIDelay UIDelayMs=*
[ search index=test sourcetype=Session Name="Roma"
| stats count by SessionGUID
| dedup SessionGUID
| fields SessionGUID]
| stats avg(UIDelayMs) '
gratzi
Edit I got it working but is it the most effiecient if its to be run every 5mins ? (over the last 5mins) ?
I think this is fine, but either of the following is unnecessary.
| stats count by SessionGUID
| dedup SessionGUID
This is a unique value.
| stats count by SessionGUID