I'm new to splunk And i'm trying to add some logic to reduce false positives.
I have two indexes
Index=A
index=B
Both indexes have a field that has the same data I can match on:
Index A has a field (A_field_match)
Index B has matching field (B_field_match)
Both Indexes have index specific fields I would like to add together in a table for true enrichment of the data:
Index A has A_interesting_field_1 A_interesting_field_2 A_interesting_field_3 A_interesting_field_4
Index B has B_interesting_field_1 B_interesting_field_2 B_interesting_field_3 B_interesting_field_4
Each Index has very helpful fields that I can search on to remove false positives if I can match on A_field_match and B_field_match from both indexes.
I have tried transaction , stats and join but I am completely lost and getting nowhere.
Any help would be greatly appreciated.
... View more