Hello
I have three sources I should compare fields. Lets say index =A index=B and index=C. All the three sources have a unique field D. I should compare values that are in index B and index C to be present in index=A if index A has values other than that of index B & C then I should get a result as unauthorized.
If D is the transaction ID to correlate the same event in three indexes then you can try
index=A OR index=B OR index=C <Add your Base Search Filter cirteria/s>
| stats count as EventCount values(index) as MatchedIndexes min(_time) as MinTime max(_time) as MaxTime by D
| search MatchedIndexes=A AND MatchedIndexes=B AND MatchedIndexes!=C
| eval durationInSeconds=MaxTime-MinTime
| eval _time=MinTime
| table _time D EventCount MatchedIndexes durationInSeconds
If field D is always present but may differ in your three indexes you can use D=* in your base search.
@jarapally Were you able to check the answer?
Please add more details whether field D is to correlate the events or compare the events. Do you have some sample of data from three indexes?
Compare the values of the field D which is a unique bank transaction.. Index B and Index C have values of field D that are present in Index A. the transaction ID's that are present in both Index B and Index C should be present in Index A if not it is flagged as unauthorized.
Index A -Event
Message sent: {A:xxxxx}{B:3XXXXXN}{C:{xxxx}{D:xxxxxx}}{E: :xxxxxxyyyyyyyy}}"
Index B Event:
02-20-2017 03:34:07 INFO XXXXXXXXX message: {A:AXXX00}{B:XXXXN}{C:{XXXX}{D:xxxxxxxx}}{E:
xxxxxxxxxxxxxxx
-}
Index C Event
"{A:XX0000000000}{B:IXXXXN}{C:{D:xxxxxxx}}{E:
:xxxxxxxxxxxxxxxxxx
}