Hello,
I am trying to use the result of an intersect to further search in one of the indexes.
| set intersect
[search index=A something...
|table IP]
[search index=B something...
| table IP]
///at this point I have a table of common IPs between the two indexes. Now I want to add to that table another field which is only present in the index=B, so the final result will look like:
IP Description
x.x.x.x something1
y.y.y.y something2
Both IP and Description are extracted fields.
I've just tried both solutions but neither works. I want to mention that for one index the IP is named "clientIP" while for the other index is named "IP_ADDRESS". Also, the description field is present only on the index where IP is named "clientIP".
Updated the answer, please try and lets know
Hi @catalinberbece,
Try this,
EDITED as per the new requirement.
(index=A OR index=B) |rename IP_ADDRESS as clientIP |stats dc(index) as dcIndex, values(Description) as Description by clientIP|where dcIndex >1
Try this
index=B [search index=A something...
|table IP]
| table IP Description