I have a macro that I want to run on multiple subsets of a data source (a group-by field). I can set up the search manually to do this by using the append command, but i'd like to make this automatic and more efficient. For instance, I want to run something akin to the map command but that performs calculations on groups (multiple rows that share a common field).
The main reasons I want to do this is to avoid having to manually append searches for each group, but also for efficiency - I want to avoid having to go to the index and pull the data multiple times along with repeated calls to a lookup to get the group-by field. The current approach i'm taking is this:
index=test
| lookup testLookup lookupField
| search lookupGroup = "A"
| `macrofnx'
| append [
search index=test
| lookup testLookup lookupField
| search lookupGroup = "B"
| `macrofnx'
]
| append [ ...]
So it seems inefficient to have to manually do the index pull and lookup join just to get the subgroup by which to do the calculation. Ideally i'd want something like this functionality (where the groupBy command would send subsets of the data sequentially to the macrofnx and stitch them all together):
index=test
| lookup testLookup lookupField
| groupBy lookupGroup [`macrofnx']
Any thoughts on if there is a way to do something similar, and avoid having to make repeated calls to the index and lookup, would be appreciated.
Thanks
↧