I have 2 different searches for 2 different sourcetypes with field extractions. I'm doing the field extractions for search1 for xml data.
sourcetype=xmlapp | xmlkv
I'd like to combine searches in such a way that when
field2 from search2 does NOT match any existing
field1 from search1, I need to create an alert. Any help is greatly appreciated.
Thank you. That works for finding the events. So, how do display more fields (e.g. field1, field2, field3 from search#1 and field4, field5 from search#2) to the results so that I can display them in a table (or chart)? I tried fields command but was not successful.