My datasets are much larger but these represent the crux of my hurdle
sourcetype=sale_by
fields: sid, user
sourcetype=sale_made
fields: sid, amount
Where: `sale_made.sid = sale_by.sid`
I have this search that works:
sourcetype=sale_by | join sid [ search sourcetype=sale_made ] | stats sum(amount) by user
Can this be done more efficiently with stats?
↧