Solved: Is this a Join, subsearch, or something else?

theeven · ‎08-27-2013

In my search I am at a stage where I have something like below.

USERID EVENT STATUS
1 HELLO PASS
2 HELLO FAIL
3 HELLO FAIL
4 HELLO PASS
2 HELLO PASS
3 HELLO PASS
7 HELLO FAIL
4 HELLO PASS
8 HELLO PASS

I need a way to list all USERID who have encountered both PASS and FAIL STATUS

2
3

help?
thanks.

gkanapathy · ‎08-27-2013

Pretty straightforward:

... | stats values(STATUS) as statuses by USERID | where statuses=="PASS" AND statuses=="FAIL"

gkanapathy · ‎08-27-2013

Pretty straightforward:

... | stats values(STATUS) as statuses by USERID | where statuses=="PASS" AND statuses=="FAIL"

theeven · ‎08-27-2013

Okay here's my solution. Works good for me.

| stats values(STATUS) as STATUS_MV by USERID 
| eval STATUS_COUNT = mvcount(STATUS_MV) 
| search STATUS_COUNT=2

In my case, Status can only take one of the 2 conditions (PASS/FAIL). In other case ">" operator could also be used.

Runals · ‎09-11-2013

That is similar to how I would approach it

...| stats dc(STATUS) by USERID

theeven · ‎08-27-2013

I am planning to group timechart per_day() at the end.

lukejadamec · ‎08-27-2013

How far back in time do you want to look?
For users that have both pass and fail, in the past hour, day, month?

theeven · ‎08-27-2013

not sure if i get it.

yannK · ‎08-27-2013

I hate to say that, but maybe a transaction may be useful.

mysearch PASS OR FAIL | transaction USERID | search PASS AND FAIL | table USERID

HiroshiSatoh · ‎08-27-2013

I did not think of this. The Helpful simple.

lukejadamec · ‎08-27-2013

What is the timeframe?

Is this a Join, subsearch, or something else?