Good day!
I need to compare the results of a search query that contains multivalued fields.
My search query looks like this:
sourcetype = MySourceType earliest = 0 latest = now()
| eval category = if(_time>relative_time(now(), "-2h@h"), "DeviceIDnew", "DeviceIDlater")
| chart values(deviceID) by IP, category
| eval compare = if(DeviceIDlater=DeviceIDnew, 0, 1)
| table IP, DeviceIDlater, DeviceIDnew, compare
Despite the fact that, in most cases, the comparison is correct, I noticed that in some cases there are errors.
For example:
In the example above, I mean that compare = 0 because the values DeviceIDnew contained in the field DeviceIDlater.
Could you help me, please? How it is correct to compare multi-value field?
Thank you!
... View more