My data model is like:
Key Source Destination
1 a b
1 b c
1 a c
1 a e
because the source result table is too large, I need to get top 30 results that have 15 most popular ones in each, for Source, and Destination.
I propose:
1. index=bla model=blala | top limit=15 Source
as sourcegroup??
2. index=bla model=blala | top limit=15 Destination
as destinationgroup?
3. index=bla model=blala where Source is contained in sourcegroup or Destination is contained in destinationgroup?
I don't know how to implement list item 3, and how to combine the results into 1. I searched and tried with multiplesearch, but it did not work. Or if the algorithm is slow, any efficient suggestions please?
Thank you so much.
@h52huang if you want to run the search only for the top 15 Sources and Destinations try the following search
index=bla model=blala
[ search index=bla model=blala
| top limit=15 Source showperc=f showcount=f]
[ search index=bla model=blala
| top limit=15 Destination showperc=f showcount=f]
@h52huang if you want to run the search only for the top 15 Sources and Destinations try the following search
index=bla model=blala
[ search index=bla model=blala
| top limit=15 Source showperc=f showcount=f]
[ search index=bla model=blala
| top limit=15 Destination showperc=f showcount=f]
@niketnilay
Could you share more knowledge on this please? I have been doing a few experiments locally and I am getting confused about the pipeline filtering in subsearches.
index=bla field1=aaa field2=bbb (Source=A OR Destination=A)
is returning 75 events (not 15 events).
[index=bla field1=aaa field2=bbb Source=A | top limit=15 DestinationNode showperc=f showcount=f ]
@niketnilay
I seem figured out. 🙂
|union
[subsearch 1]
[subsearch 2]
index=bla field1=aaa field2=bbb (Source=A OR Destination=A)
[index=bla field1=aaa field2=bbb Source=A | top limit=15 Destination showperc=f showcount=f ]
[index=bla field1=aaa field2=bbb Destinatioe=A | top limit=15 Destination showperc=f showcount=f ]
Does this append the results? My desired it a total of 30 with 15 of Source=A and 15 of Destination=A.
Thank you very much. @niketnilay