Iam trying to get a inner join result which looks some thing like if there are 100 unique fields from subsearch, I want to confirm if each field is present in the main search and get the count if presents. get count of subsearch and main search.
index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m
| eval flag="DR"]
| stats count by flag
how about this?
this is great, but the subsearch results aren't a subset of the main search results(based on the MessageID field), which is the challenge
I have no idea what log you want to count.
my answer result:
flag count
DR xxx
SMS XXX
comparison:
index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| eval flag="SMS"
| append [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m
| eval flag="DR"]
| stats count(eval(flag="SMS"))) as SMS count(eval(flag="DR"))) as DR
| eval compare = DR -SMS
this result:
DR SMS compare
XXX YYY ZZ
index=A "SMSSent=[1]" earliest=-11m@m latest=-1m@m
| join type=inner MessageID [ search index=A "DeliveryReceipt=[1]" earliest=-12m@m latest=-0m@m ]
here Im getting the results from my main search and mapping it with sub search. I am wondering how the count can be calculated for main search results and count for the join results.
to4kawa - Iam able to do the inner join but struggling with getting the count. Are you suggesting the alternatives of join statement for this purpose?