Hi,
I'm currently setting up an aggregation via a scheduled search. Running the query for this in the search bar obtains the expected results, however, some of the parameters are sometimes off when scheduled.
This is the query:
udid!="" index="index_here" | eval search_name="search" | addinfo | eval search_day=strftime(info_max_time,"%Y/%m/%d") | stats count(eval(action=="page_view")) AS page_view_count first(gender) AS gender first(age) AS age first(is_registered) AS is_registered by udid | stats count by is_registered
What appears to not be working is the "first(is_registered)" as well as the others of this type. However, it works perfectly in the search bar, so how can this be fixed? It's as if this command is treated differently from the saved search.
first()
refers to the first event seen by the search process, which may not always be the most recent event. You might want to try swapping first()
for latest()
which specifically uses the timestamp of the event to determine the most recent value to keep. (and you also have earliest()
for the inverse)
If those don't help, can you add some detail? Some sample data with what you're getting vs. what you expect to get?
first()
refers to the first event seen by the search process, which may not always be the most recent event. You might want to try swapping first()
for latest()
which specifically uses the timestamp of the event to determine the most recent value to keep. (and you also have earliest()
for the inverse)
If those don't help, can you add some detail? Some sample data with what you're getting vs. what you expect to get?
I figured this out finally as well, as it was the issue thanks.
I am curious to know why the search process for saved searches treats this differently from a standard query in the search bar, it is searching multiple buckets at once or something along those lines to be more efficient?
Thats a good question, I don't actually know. I just tend to use earliest()
and latest()
because that's my intent anyway.