Also i tried above query,but all of the fields are 0 OnlyinSource2,MatchinginBoth and OnlyinSource1.
Sample ;
if there is a url www.xyz.com
lets say webtraffic index has the field called url.
intrusiondetection has field called uri.
index=webtraffic OR index=intrusiondetection | table ur uri filename index| eval filename2=if(index="intrusiondetection",filename,null()) |eval url =coalesce(url,uri) | fields - uri | stats values(webreputation) by url | eval OnlyinSource1=if(mvcount(index)=1 AND index="source1",1,0) | eval OnlyinSource2=if(mvcount(index)=1 AND index="source2",1,0) | eval MatchinginBoth=if(mvcount(index)=2,1,0)
When running this query and searching for the www.xyz.com for timeframe of 4 hours.. I should have got matchinginboth value to be 1. as I could see this domain in both the index. But i get this as 0.
... View more