Correct me if I'm wrong - using multiple in fields in by counts by unique value tuples of all those fields right? So, given the sample table I posted: | eval matchstate=case(in(foo,1,2,3) AND in(bar,4,5,6),1,NOT in(foo,1,2,3) AND NOT in(foo,4,5,6),2,1=1,0 | stats values(matchstate) as matchstate by id user will give back id foo bar user matchstate 1234 A 1 admin 1, 2 1234 C 3 other_user 2 abcd A 1 admin 1, 0 Then | where matchstate=1 AND matchstate=2 will drop the row for other_user, when I want my results to include that row. I mentioned eventstats because I would still need the user column after doing the stats values, but can't include it using by.
... View more