I want to compute a join of an extracted, multi-value SourceTypeA:field_a string variable with an extracted SourceTypeB:field_b string variable.
I've received a partial answer on how to do a "detour join" in Splunk via Intersect and Stats:
(sourcetype="SourceTypeA" ...) OR (sourcetype="SourceTypeB" ...)
| eval c = if (sourcetype=="SourceTypeA", SourceTypeA:field_a, SourceTypeB:field_b)
| stats values (x) values (y) values(z) by c
I'm guessing the searches (for the extracted, multi-value field_a and extracted field_b) go in the sourcetype clauses above.
I want to output the values where SourceTypeA:field_a = SourceTypeB:field_b.
Thanks for your help.
... View more