I have two sources Send Log and Received Log
Send Log has four fields namely A B C D. (Combination of 4 fields as unique)
1. ww1 xx2 yy1 zz2
2. ww1 xx1 yy1 zz1
3. ww2 xx1 yy2 zz1
4. ww2 xx2 yy2 zz2
Received Log is having more than 5 fields namely A B C D E with A B C and D having same values as sendlog.
1. ww1 xx2 yy1 zz2 1b3 Done
2. ww1 xx1 yy1 zz1 5bc Done
4. ww2 xx2 yy2 zz2 a3b Processed
If the value of all the four fields A B C and D match, then it should it retrieve the value of F from ReceivedLog and missing record (3rd row as not received)
Please help which is suitable options this case, and how to achieve this.
Appreciate your help..!!
You can do like this (update the base search for each type of logs per your use-case, showing just some sample query here)
(index=foo sourcetype=bar source=*send.log) OR (index=baz sourcetype=qux source=*receive.log) | stats values(source) as sources values(E) as E values(F) as F by A B C D
Thanks for the Answer somesoni2
When I executed this results are like below,
ww1 xx2 yy1 zz2 receive 1b3 Done
ww1 xx2 yy1 zz2 Send
ww1 xx1 yy1 zz1 receive 5bc Done
ww1 xx1 yy1 zz1 send
I need in single row with status, if the record didn't receive in receive.log (Ex. 3. ww2 xx1 yy2 zz1) show as NOT SENT