I am trying to join data from 2 data sources. The first data source contains events; source=events. The second source contains Service tickets; source=tickets. So I need to display event data along with the ticket data. The event source contains a ticket# field called scnumber; while the ticket source contains the ticket# in a field called NUMBER. I want to join the data between scnumber and NUMBER where the ticket # value is equal; they represent the same data but the fields have different names. Both have several fields of data I need; event: node, summary, scnumber; ticket: assignment group, class, and sub-class.
So I thought the query would be either of the 2:
sourcetype=event | rename scnumber as NUMBER | join type=outer NUMBER [search sourcetype=ticket] | table node summary NUMBER class sub-class
or
sourcetype=event OR sourcetype=ticket | eval ticket=coalesce(scnumber,NUMBER) | table node summary NUMBER class sub-class
So far I'm having no luck. Any help would be appreciated.
... View more