I have search1 which is a join of 2 different log sources ( S1 , S2 ). After joining these sources, I used rex to extract one specific field like field1 ( I had to combine two sources as this gave me all the data I needed ) .
index=sthng sourcetype=source S1 some condition Y | join common filed [ search sourcetype=Source S2 LogType= *| fields - to be excluded ] | rex field=field extracted f1 | stats values(*) | eval condition resulting in field Z | search z > 10
I have another search which has results from another source (S3). I again used rex to extract one specific field, like field 2, in this search.
index=same as above search sourcetype=S3 some condition C | rex field= field extracted f2.
Now, I want to compare both these searches based on field1 , field2 — like, compare field1 and field2 from the results of both the searches, and if at the same time ( or around the same time ) , field1 is not equal to field 2, it would show me the results.
... View more