I want to list ALL customers who bought a watch and then use their userId to list out all of their purchases(not limited to watches).
I'm trying to solve this using subsearches. But, its not helping. Can anyone suggest a solution?
source="foobar"
[search xxx OR yyy OR zzz source="foobar" mdn
| rex field=_raw "(?[0-9]+)" max_match=0
| dedup MDN
| rename MDN as search]
| rex field=_raw "(?[0-9]+)" max_match=0
| dedup orderid
| stats list(orderId) by MDN
Hi @vjzone,
Try something similar after changing the logic according to your events,
index="your index" source=foobar purchase=* [index="your index" source=foobar purchase=watch |table userid|dedup userid]
Below reference might give you some idea ,
Hi @vjzone,
Try something similar after changing the logic according to your events,
index="your index" source=foobar purchase=* [index="your index" source=foobar purchase=watch |table userid|dedup userid]
Below reference might give you some idea ,
Hi @vjzone, lets know if you still have questions