time='1384959722',f1="null",f2="null",f3="203.1",f4="5127.34",m1="GROUP1",m2="100.000",f5="7"
time='1384959723',f1="null",f2="null",f3="203.4",f4="5752.53",m1="GROUP2",m2="200.000",f5="7"
time='1384959724',f1="null",f2="null",f3="202.1",f4="5372.63",m1="GROUP3",m2="300.000",f5="7"
time='1384959725',f1="null",f2="null",f3="205.5",f4="5334.39",m1="GROUP1",m2="400.000",f5="7"
time='1384959726',f1="null",f2="null",f3="206.1",f4="5395.32",m1="GROUP2",m2="100.000",f5="7"
time='1384959727',f1="null",f2="null",f3="201.2",f4="5397.43",m1="GROUP3",m2="600.000",f5="7"
time='1384959728',f1="null",f2="null",f3="206.1",f4="5351.63",m1="GROUP1",m2="400.000",f5="7"
time='1384959728',f1="null",f2="null",f3="206.1",f4="5351.63",m1="GROUP4",m2="100.000",f5="7"
I have the above logs, i want to search for all m1 's which have value 100.000 as m2 and count the occurrence like below
m1 m2
GROUP1
100.000(1)
400.000(2)
GROUP2
200.000(1)
100.000(1)
note that GROUP4 only has 1 value of 100.000 - thus not shown, required to have another value present to be displayed
So far, this is what i can think of
dedup m1 and dc(m2) then check if value 100.00 is part of dc(m2) and dc(m2) > 1 (so more than 1 unique value) for that m1 group, then print out
Using that logic, is it correct? and how would i construct a query like above?
... View more