Hi,
I use the below search to get the row with max value;
(index="indexa" OR index="indexb") sourcetype="sourceA" | table _time,money,user | eventstats max(_time) as mtime by user |where _time=mtime
but some user can not find in result. And When I add user in below search, it exists in result.
(index="indexa" OR index="indexb") sourcetype="sourceA" user="XXX" | table _time,money,user | eventstats max(_time) as mtime by user |where _time=mtime
How can I know what different in above search? Thanks
ps.above search has 1 million row in first phase and the final result should has 220000 row output
↧