I have a dataset that looks like: (id, foo, bar, user) that I want to show results for on a dashboard. Given an input combination of values for foo and bar, I want to know which ids both a) hav...
See more...
I have a dataset that looks like: (id, foo, bar, user) that I want to show results for on a dashboard. Given an input combination of values for foo and bar, I want to know which ids both a) have at least one row that has BOTH of those values; and b) have at least one row that has NEITHER of those values and then count the number of such ids by user. For example, a search on (foo=A, bar=1) for the data id foo bar user 1234 A 1 admin 1234 B 2 admin 1234 C 3 other_user abcd A 1 admin abcd A 2 admin would count 1234, but not abcd, and return user ids admin 1 other_user 1 Each search parameter can be a single value or a comma-separated list. Empty values are permitted in up to one field at a time. This is the closest I have been able to get: index="data" [ | tstats count where index="data" AND foo IN (A) AND bar IN (1) by id | fields id ] AND NOT (foo IN (A) OR bar IN (1)) | fields id, user | stats dc(id) as ids by user I believe the query does what I want it to, but unfortunately am constrained by the hard limit of 10,500 results for subsearches. Is there a way to get the data I want without an intermediate command limiting my results?