I'm trying to pull back events that have a specific field value, but should only return events that match that field value if it has related events (two criteria of subsearches match).
E.g., I have a part, I only want to return that part if it has two subparts
{
"part_id": 1234,
"part_name": "main",
....
}
{
"ref_part_id": 1234,
"part_name": "docker",
"manufacturer": "bar",
...
}
{
"ref_part_id": 1234,
"part_name": "docker",
"manufacturer": "foo",
...
}
{
"part_id": 5678,
"part_name": "main",
....
}
{
"ref_part_id": 5678,
"part_name": "docker",
"manufacturer": "foo",
...
}
{
"ref_part_id": 5678,
"part_name": "docker",
"manufacturer": "bar",
...
}
I only want to return events where the field 'part_name' is 'main', but I need those events only where the belong to the main part which has a specific ID, the part_name is 'docker' and it has both 'docker' parts from two manufactures ('foo' and 'bar') (it can have other parts and manufacturers, but HAS to at least have those two)
```part_name=main | join max=0 part_id [search manufacturer=bar part_name=docker| rename ref_part_id AS part_id] | join max=0 part_id [search manufacturer=foo part_name=docker | rename ref_part_id as part_id]```
I'm getting unexpected results
↧