I am using the below query to achieve IN condition in same source. Basically I am achieving how many Order has been confirmed from hold. I got what I need but is there a better way of doing in.
In simple words SQL IN query from same table.
sourcetype="sourcetype1*" "called with OrderId : * and OperationType : confirm*" | rex field=message "OrderId : (?.*?) and" | table OrderId | join type=inner OrderId
[| search sourcetype="sourcetype1*" "called with OrderId :*, Type : mobile* and OperationType : hold" | rex field=message "OrderId : (?.*?,)" | table OrderId] |stats count by OrderId.
↧