I have two different fields, but they have the same type of value for eg. "host". So How can I join two fields to have one field with all the hosts?
I have to use some tags with the search, so I'm trying to find some way to deal with this problem, and the tag is related to host and classifies the host based on the environment.
try this search
| set union [search ...... | fields host ] [search ...... | fields host ]|table host
just replace ....... by something and try
try this search
| set union [search ...... | fields host ] [search ...... | fields host ]|table host
just replace ....... by something and try
thank for your accepted answer
Couple ways to tackle this.
src_host
field, and you'd like that field to be included in any host=...
searches. Go to Settings > Fields > Field Aliases
and add a new config saying src_host = host
i want to use a tag i want to include the tag after i have joined the two fields .. is there any way to do tht becuase tag doent produce any result if i use aftr eval command
Do the tags work if you create a field alias?
can you add a sample of the input data and a sample output you are trying to achieve?
2015-03-04T06:24:25+00:00 *_Alarm WARN Profiler Queue Size Limit Reached : Server=rtp-prd-02; Profiler Error Message=1030 EventHandler events dropped;host=****
i want to make host and server as one field . with having all values in host plus with the values of Server.