Hello, I hope you can help me refine the following query. So far I am successfully getting the GroupId, Description, Date and count from the initial search and first join statement.
The three joins further down are intended to detect when a source is missing and then if not, print out a "Yes" to the user:
host=*90* Action=Norm* _myCategory
_sourceA OR _sourceB OR _sourceC
| dedup Source GroupId
| stats count by GroupId
| join GroupId [search Action=PublishedGtpRule
| fields + GroupId Description Date SportId]
| eval pDate=strptime(Date, "%d/%m/%Y %H:%M:%S")-now()
| where pDate>0 AND pDate<86400 AND count<3
| join GroupId [search _sourceA | eval SourceAAvailable="Yes" ]
| join GroupId [search _sourceB | eval SourceBAvailable="Yes" ]
| join GroupId [search _sourceC | eval SourceCAvailable="Yes" ]
| fields GroupId Description Date count SourceAAvailable SourceBAvailable SourceCAvailable
This query has two problems:
Mainly it doesn't work as intended, however I have been trying to piece it together for a while and not quite hitting the mark.
It takes a long time to come up with results and frequently causes the web server to stop responding/restart. I am aware this is probably due to the multiple joins each kicking off a search so if there was a neater way to do this that would be highly appreciated.
I'm trying to find out in a given category, which results have less than 3 sources. Once these have been found display a description and information to determine which sources are missing.
Many thanks to y'all.
Matt
... View more