Solved: Re: How to compare different fields having the sam...

pratibha2018 · ‎03-12-2018

How to compare different fields having the same value and though in different events?
For example : index1, source1, sourcetype1 has "n" events and index2, source2, sourcetype2 has "m" events .
Now, some fields from sourcetype1(say field1) have the same values as that of some fields of sourcetype2(sayfield2).
I want for field1=field2 list all the other fields of sourcetype2,sourcetype1. The thing is that I have to compare it in different events.
Not a single event is having both field1 and field2.

tiagofbmm · ‎03-12-2018

Hi

Try this and let me know please

index2 source2 sourcetype2
 [ search index1 source1 sourcetype1 | dedup field1 | return 1000 field2=field1 ]
|  fields - field2

View solution in original post

tiagofbmm · ‎03-12-2018

Hi

Try this and let me know please

index2 source2 sourcetype2
 [ search index1 source1 sourcetype1 | dedup field1 | return 1000 field2=field1 ]
|  fields - field2

pratibha2018 · ‎03-12-2018

It worked.

Many thanks!

How to compare different fields having the same value in different events?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!