I have a question:
I have a sourcetype A with a field "ip" and a "name"
I have a sourcetype B with a field "ip" and a "name"
I shall like knowing if you know how to associate the identical fields at the level of the ip and whose name is different.
Knowing that I have no access to the limit.config file and that every sourcetype has more than 70 000 fields.
As a first jab, take a look at this:
sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetype) as sourcetypes by ip | where sourcetypes>1
Whether that's anywhere near what you're looking for depends on what you're looking for.
To also add the date into the
stats and filter only those with differing names you can do this:
sourcetype=A OR sourcetype=B | stats values(name) as names dc(sourcetypes) as sourcetypes by ip date | where sourcetypes>1 AND mvcount(names)>1
It's true, that finally it is simple. But I had badly analyzed the thing. Indeed, I make a request accelerated to get back the information.
I thus find myself with this :
Ip | name | date | sourcetype
1. 192.168.1.45 max 2014/03/05 A
2. 192.1681.1.89 bob 2014/03/05 A
3. 192.168..45 john 2014/03/05 B
4. 192.168.1.89 bob 2014/03/05 B
I want the people who have same Ip but who the same day have same no same sourcetype and name. Is it possible? Cordially.