Filter and Collect Values in Same Table

Retrieves all emails sent from one given person to another given person using the selfJoin() function

Query

logscale

selfJoin(email_id, where=[{from=*peter*}, {to=*anders*}], collect=[from,to])

Introduction

The selfJoin() function is a join query that matches events across the same event sets. selfJoin() joins an event set to itself and allows you to combine events from the same table based on two fields in the same event. In order to do this, the event set must have a common field with a unique ID, a primary field, and a secondary (or subquery) field that will be matched to each other.

In this example, emails are logged with one event for each header (each email has its own ID) and the selfJoin() function is used to find and collect all emails sent from one given person to another given person. Notice, that this query does two passes over the data and, therefore, cannot be used in a live query.

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[/Filter/] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
selfJoin(email_id, where=[{from=*peter*}, {to=*anders*}], collect=[from,to])
```
Finds and collects all the values in the emails_id field that correspond to mails from Peter to Anders.
Event Result set.

Summary and Results

The query is used to find and collect all emails sent from one given person to another person. In general, the selfJoin() function is useful for narrowing down a set of events in a fairly efficient manner, in cases where the total set of events is too voluminous.

Examples Library