Hello all,
I have the following query:
index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" | table _time, resultValue1, resultValue2, resultValue3 | sort _time
Quick explanation of the fields:
attr1/2: these are some filters which have constants. Those are "irrelevant" to my problem right now.
filterCriteria: The above query has one value as a filter, but I need to filter by two values. This means something like filterCriteria in("Criteria1", "Criteria2") .
For achieving this, I tried to use join of two separate queries, based on the filterCriteria attribute, like this:
index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria1" | join filterCriteria [search index=someIndex "attr1"=aConstant attr2="aValue" filterCriteria="Criteria2"] | table _time, resultValue1, resultValue2, resultValue3 | sort _time
But it seems that it's returning only the values of the last part of the join instead.
resultValue1/2/3 are fields with values shared by both queries, so they can be aggregated.
Is there a most efficient/another way to achieve this filtering by multivalued / in -like criteria?
Thanks in advance!
... View more