Solved: Re: How to construct a search that combines two di...

pavanae · ‎12-01-2016

I'd joined two different searches and trying to display the search 2 table for search 1 users. Both the searches have the usernames field different

search 1 displays usernames with field name "usernumber"
search 2 displays usernames with field name "userid"

I know if both the searches has same field name i can display as below

search 1 | fields userid | join userid [search 2]

But here the scenario is different. Even though the field names are different, how can i combine those two searches?

sundareshr · ‎12-01-2016

Try this

(base search for search 1) OR (base search for search 2) | eval user=coalesce(usernumber, userid) | stats values(*) as * by user

*OR* if you must user join (not recommeded), just rename the field in the sub-search

search 1 | fields userid | join userid [search | fields | usernumber | rename usernumber AS userid] | ...

sundareshr · ‎12-01-2016

Try this

(base search for search 1) OR (base search for search 2) | eval user=coalesce(usernumber, userid) | stats values(*) as * by user

*OR* if you must user join (not recommeded), just rename the field in the sub-search

search 1 | fields userid | join userid [search | fields | usernumber | rename usernumber AS userid] | ...

How to construct a search that combines two different searches with no common fields?