I'm writing a generic search layer that allows our users to have drilldown, faceted search experience. This means that for a given set of search results, I want to see the distribution of existing values for a set of given fields, with a count of matches. This will allow the user to select one of those values and run a second search, narrowing down the results.
It seems easy enough to do it for one result field, using stats count or chart count . The problem is that count ing over multiple fields results in a narrow AND count, rather than a separate count for each different field.
I've tried implementing this with subsearches - search host="test" | chart count by field1 | append [search host="test" | chart count by field2] but this requires me to pass the search filters ( ( host="test" ) for every internal subsearch, in essence running the search n times instead of just getting stats on a single set of search results. It might be more efficient than running n searches from my code, but it still seems wasteful.
So, is there a way to achieve this without running multiple searches? It would be even better if I can get the search results alongside the search stats in a single hit.
... View more