If I have two searches as below (uniqueId is a common field exists in both searches, while field1, field2 are unique fields only applying to it search)
EVENT_CONTAIN_SOME_KEYWORD | table uniqueId, field1
EVENT_CONTAIN_ANOTHER_KEYWORD | table uniqueId, field2
Then i can use the transaction command to combine the table (it is safe to assume there are only one field1 and one field2 for every uniqueId)
EVENT_CONTAIN_SOME_KEYWORD OR EVENT_CONTAIN_ANOTHER_KEYWORD
| transaction uniqueId
| table uniqueId, field1, field2
I am not using any of those startswith / endswith / maxspan / maxpause args really.
Is there a way to avoid using transaction, and make my query more efficient?
Thanks!
... View more