In this case, In sourcetype"B" I have mac_addres, but in sourcetype="A" I don´t have . So I need
compare fields ( mac_addres and source_mac , If the Source_mac have the same mac_addres, i return the fields Sourcetype A ( IP , hostname ) and sourcetype B ( Username ) in the same table.
index=main (sourcetype=A)
| fields IP , hostname , source_mac
| dedup IP , hostname , source_mac
| join source_mac
[ search sourcetype="B"
| dedup mac_addres
| rename mac_addess as source_mac
| fields source_mac, Username]
| table Match,IP , hostname , Username
In this case:
index=main (sourcetype=A OR sourcetype=B)
| fields IP , hostname , source_mac , mac_address, Username
| search (mac_address == source_mac)
|table IP, hostname, source_mac, Username
Don´t work.
Thanks guys.
... View more