join/combine two searches into single table, duplicate records override with the first value.
Search1:
host=test* sourcetype=coner | rex "(?\w+) typecode=" | table id, type, code
Result:
ID Type Code
1111 MethodA 201
1111 MethodA 200
1111 MethodA 201
2222 MethodA 200
Search2:
host=test* sourcetype=coner | rex "(?\w+) status=" | table id, staus
Result:
ID Status
1111 POST
1111 PRE
1111 POST
2222 PRE
join Search:
host=test* sourcetype=coner | rex "(?\w+) typecode=" | table id, type, code | join id [ search host=test* sourcetype=coner | rex "(?\w+) status=" | table id, staus] | table id, type, code, staus
Result:
ID Type Code Status
1111 MethodA 201 POST
1111 MethodA 200 POST
1111 MethodA 201 POST
2222 MethodA 200 PRE
I want to combine Search1 & Search2, and expecting the table as:
Result:
ID Type Code Status
1111 MethodA 201 POST
1111 MethodA 200 PRE
1111 MethodA 201 POST
2222 MethodA 200 PRE
Please suggest me the best solution to achieve this.
... View more