Hello, I have the following example json data:       spec: { field1: X, field2: Y, field3: Z, containers: [ { name: A privileged: true }, { name: B }, { name: C privileged: true } ] }       I'm trying to write a query that only returns privileged containers. I've been trying to use mvfilter but that won't return the name of the container. Here's what I was trying to do:       index=MyIndex spec.containers{}.privileged=true | eval priv_containers=mvfilter(match('spec.containers{}.privileged',"true")) | stats values(priv_containers) count by field1, field2, field3       This will, however, just return "true" in the priv_containers values column, instead of the container's name. What would be the best way to accomplish that? ... View more

I'm trying to do a simple query to get a hostname from events in a different sourcetype. I have a event in sourcetype A, which don't have a field "host_name". This field is present in sourcetype B. The index is the same, let's call it X. Both events can be matched through the field "sensor_id". I want to retrieve the field "process_command_line" from sourcetype A and host_name from sourcetype B, for the events that match the same "sensor_id" field. Here's a sample query that works:     index=X sourcetype=B [search index=X sourcetype=A | table sensor_id] | table sensor_id host_name     However, I also need to retrieve the process_command_line, which is only present in sourcetype A. If I add that to the subsearch, it retrieves zero results:     index=X sourcetype=B [search index=X sourcetype=A | table sensor_id process_command_line] | table sensor_id host_name process_command_line     Any idea how can I retrieve all three fields?     ... View more

Given the simple scenario: I have users in a platform that have actions, I want to return all the users that haven't performed a specific action. For example, I want to return all users that have been doing the action "View", but haven't performed any action "Purchase". The index would be the same. Pseudo query: index=A action=view [ search index=A action=purchase | stats count by user ] | where count by user = 0  Any idea how could I write such query? ... View more