Can I count_distinct within transactionize groupings?
I have a problem in which I want to know when a certain FieldB changes value while another FieldA remains constant across many log entries. I transactionize FieldA to create groupings, and while I can see the FieldB values, I want to then run a query to only show groups where the distinct count of FieldBs is greater than 1. Reading the docs it appears I can run a subquery, but I cannot get it to work. I either get syntax error, or the scope of the count is beyond the grouping The below example yields a distinct count beyond the scope of the group created by the transactionize. "GET /api/transaction/" | parse "GET /api/transaction/*?deviceid=* " as FieldA, FieldB |transactionize FieldA (merge FieldA, FieldB ) | count_distinct(FieldB)
-
David, I believe your issue might be that you do not need a merge for your query, so your subquery can be your count_distinct.
Without knowing your data, so making some assumptions, I believe what you are looking for is:
"GET /api/transaction/"
| parse "GET /api/transaction/*?deviceid=* " as FieldA, FieldB
|transactionize FieldA, FieldB (count_distinct(FieldB))Hope this helps!
Cheers,
Mario
-
this is my current query: "GET /api/transaction/" | parse "GET /api/transaction/*?deviceid=* " as FieldA, FieldB |transactionize FieldA, FieldB (count_distinct(FieldB)) | where _count_distinct > 1 Which yields a nice little table on the Aggregates tab that looks something like this: # _count_distinct 1 2
Please sign in to leave a comment.
Comments
5 comments