Hello all,
I have the following query:
index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" | table _time, resultValue1, resultValue2, resultValue3 | sort _time
Quick explanation of the fields:
filterCriteria in("Criteria1", "Criteria2")
.For achieving this, I tried to use join
of two separate queries, based on the filterCriteria
attribute, like this:
index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" | join filterCriteria [search index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria2"] | table _time, resultValue1, resultValue2, resultValue3 | sort _time
But it seems that it's returning only the values of the last part of the join instead.
resultValue1/2/3
are fields with values shared by both queries, so they can be aggregated.
Is there a most efficient/another way to achieve this filtering by multivalued / in
-like criteria?
Thanks in advance!
Hello,
Why you don't use the IN to filter request:
index=_internal name IN ("management","ingest")
in your case:
index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" | table _time, resultValue1, resultValue2, resultValue3 | sort _time
(index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" ) OR (index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria2" )
| stats values(_time) as _time , values(resultValue1) as resultValues1, values(resultValue2) as resultValues2, values(resultValue3) as resultValues3 by filterCriteria
| sort _time
try stats
with by .