Hi,
I am trying to join to log files under same index & sourcetype having a common field between them.
log event where type=dte2_fios has below fields
TRANID, ANALYSIS, WPID (this is common field), COMMAND
log event where type=dte4_fios has below fields
REQID, FT, WPID (this is common field), DIP, DTE,FTC,ERR_MSG
I need a table output with below fields and its corresponding value in each row
TRANID WPID, REQID,ANALYSIS ,COMMAND,FT,DIP,DTE,FTC,ERR_MSG
I used below query, but it is giving me multiple values for REQID & FT in single row as one WPID will have multiple REQID & FTs. I need separate row with all the above fields
index=delb_np sourcetype="app_kafka_np_east" AND (function_name="dte2_fios" OR function_name="dte4_fios")
| table _time @timestamp function_name log_message.WPID log_message.CID log_message.TN log_message.TRANID log_message.REQID log_message.ANALYSIS log_message.COMMAND log_message.DIP log_message.FT
| stats values(log_message.TRANID) as TRANID, values(log_message.REQID) as REQID, values(log_message.ANALYSIS) as ANALYSIS, values(log_message.COMMAND) as COMMAND, values(log_message.DIP) as DIP, values(log_message.FT) as FT by log_message.WPID, log_message.CID
