Hi all, can I return fields from subsearch but not used as filter in outer sesarch? Assuming the log1 contains fields like mod, ip and log2 contains fields like user, ip:
sourcetype=log1 mod=http [ search sourcetype=log2 | fields ip, user ]
| stats values(users) as User, values(mod) as Mod by ip
I only want to use field ip in outer search but keeps user field in final stats statement but seems fields returned will be AND'd in outer search. Would anyone please advise? Thanks.
Rgds
Depending on your data this might do what you need:
sourcetype=log1 mod=http OR sourcetype=log2 | stats values(users) as User, values(mod) as Mod by ip
If you need to filter whether an ip appears in both sourcetypes you could do this:
sourcetype=log1 mod=http OR sourcetype=log2 | stats values(sourcetype) as sourcetype values(users) as User values(mod) as Mod by ip | search sourcetype=log1 sourcetype=log2 | fields - sourcetype