Dear All,
I have one question. I have the data like below:
field1:
itema
itemb
itemb
itemc
itemd
iteme
iteme
field2:
itemc
itemd
itemd
iteme
mainfield
itemf
itemc
itemz
I used the search below to get common items and unique items on each fields (field1 and field2).
index=foo source=* | eval commonfield=coalesce(field1,field2) | stats values(source) as source by commonfield | table commonfield
Now I want to compare the common values from field1 and field2 with mainfield. I want to know what are the common items and unique items on commonfield and main field
All the data is in same index and sourcetype.
Thanks.
Raj
Does the main field appears in the same events as field1 and field2?
no, thats in diiferent source
Like this:
index=foo source=* | eval commonfield=coalesce(field1,field2) | stats values(*) as * by commonfield | where commonfield=mainfield
And
index=foo source=* | eval commonfield=coalesce(field1,field2) | stats values(*) as * by commonfield | where commonfield!=mainfield