Hi, a question from a high level of what goes on behind the scenes. I have an internal user who has written lots of handy macros that get chained together. The dashboards leveraging the macros use a base query with panels that continue processing the base query result set. This user is hitting disk quota usage limits that other internal users do not hit. The macros perform a series of joins and appends along the way with 4 joins not being unusual. I'm wondering if the joins perhaps create multiple copies of the left join for each of any join along the way, requiring more disk space during processing stages even if the end result is "small".  The usage reported in the search does not match the sum total of the usage in the job inspection page so we are not sure what is consuming the space.  I just ran one example query of the chained macros, broken out to its query form in ad hoc search, and the end result was only 64k events that are small in size (less than 50 characters). So I guess my question(s) is: 1. Do joins require a lot of disk space usage from the user's quota? 2. Any tips on how to debug end user issues with disk quota usage?   ... View more

I want to run a query where: 1. Query1 returns resultset1containing myEvent1.uid 2. Query2 returns resultset2 containing myEvent2.uid which is a subset of the myEvent1uid values. 3. Filter myEvent1 events and discard any that don't have a matching myEvent2.uid. This can be done easily with an inner join but the result2 dataset is larger than 50k so I cannot use a join. What I want is to do an inner join without using join!  😀  (I'm also practicing not using join, in general, but I really can't use join in this case.) Saw some other posts that use join and other tricks and tried different solutions with coalesce() and also creating a new fields but haven't figured out a way that worked. Thanks in advance!   ... View more

I recently created a Summary Index to use with some planned dashboards. To generate the Summary Index I run a report each night with Time Range set to Yesterday, "bucket _time span=day" to summarize each day into one entry, then add it to the Summary Index. Right now I wish I had more historical data in that Summary Index so I'm wondering if its OK to establish the Summary Index freshly, perhaps with a timeframe of Last 30 Days or Last 45 Days, then the next day update the report schedule to look just for Yesterday and continue on like that. ... View more

I have a dashboard and some queries in the panels are taking longer than the allowed 60 seconds to complete.  They are using stats count but there are a lot of instances of events to count so it takes some time. I'm looking at making the queries rely on summary indexes instead in order to speed them up. But in the meantime users of the dashboard passively get inconsistent results because they aren't aware the query exited before finishing. That is, data is rendered but its not clear to the user that its incomplete data. Is there a way in a dashboard to signal to the user that a panel reached the auto-finalize limit?  Right now I can click the "information"  icon ("i") and see this error: "The search auto-finalized after it reached its time limit: 60 seconds." But I'd like to detect and surface it, if its possible. Thanks! ... View more

Is it valid to use a where clause to compare a string value to a multivalue field in order to know if that value is one of the values in the multivalue field?  For example,  my query returns this result where firstName is a multivalued field:   lastName | firstName -------- ----------- Smith | Amy, Barbara, Carol Wilson | Carol, Deanna, Emily   In my query I add the following to the end of my query to find all rows containing "Carol" in the multivalue field.   where firstName="Carol"     The where clause seems to work fine and returns all the row containing "Carol" in the multivalue field.  I'm wondering if its a supported syntax because I didn't find an example that looks like this and the various "mv" functions seemed to be for more complicated operations. In this example, I'm looking to get all last names and any associated first name and then use a where clause to return anyone with a particular first name. ... View more