Hi,
I have two different sourcetypes src_a, src_b. There are some "transaction_id"'s in src_a, and "transaction_no" in src_b. Both are the same. Both sourcetypes belong to the same index.
I have to compare transaction_id in src_a, (transaction_no in src_b)whose status=complete in the src_b.
Please help.
Ok, you probably need to clarify what type of comparison you want to do;
transactions
to locigcally group events from A & BHere are some idea anyway;
Create a common field between the sources and create a transaction based on that.
source=A OR source=B | eval transX = coalesce(transaction_id, transaction_no) | transaction transX
Find events in A that do not have a 'complete' in B
source=A NOT [search source=B status="complete" | rename transaction_no AS transaction_id | fields + transaction_id]
hope this helps,
K
Extending answer by Kristian, if you need all the fields from src_a and src_b for a transaction whose status=complete in src_b, you can use join.
sourcetype=src_a | join transactionId [search sourcetype=src_b status="complete" | rename transaction_no as transaction_id]
if you just want fields from src_a, this is little faster way.
sourcetype=src_a | join transactionId [search sourcetype=src_b status="complete" | stats count by transaction_no | fields - count| rename transaction_no as transaction_id]
Thank u somesoni for ur time!!
Ok, you probably need to clarify what type of comparison you want to do;
transactions
to locigcally group events from A & BHere are some idea anyway;
Create a common field between the sources and create a transaction based on that.
source=A OR source=B | eval transX = coalesce(transaction_id, transaction_no) | transaction transX
Find events in A that do not have a 'complete' in B
source=A NOT [search source=B status="complete" | rename transaction_no AS transaction_id | fields + transaction_id]
hope this helps,
K
Thnx kolb & somesoni !!