Hello,
I currently have two queries which both have the same field. Is there a way, using subsearch, to filter out any values that are not in both queries?
Here's what I currently have, but does not work as expected:
source=src1.log join SHARED_FIELD [search source=src2.log]
Thank you in advance!
Example Data:
src1
SHARED_FIELD=blah
SHARED_FIELD=blah2
SHARED_FIELD=blah3
src2
SHARED_FIELD=blah
SHARED_FIELD=blah3
SHARED_FIELD=blah4
Result from query:
SHARED_FIELD=blah
SHARED_FIELD=blah3
Try this slightly different approach:
source=src1.log OR source=src2.log | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1
Try this slightly different approach:
source=src1.log OR source=src2.log | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1
Use | where source_count = 2
then.
Sure, any combination of filters is possible. Just make sure you get the parentheses right to apply the filter for source one only to source one.
Hey, I just realized that this is only keeping unique values. I actually want to filter those out so that only fields in both sources are recorded. Is there a similar function to dc() that does this?
That means there is no value for SHARED_FIELD that only exists in one source?
Is there any way to add extra tags to the searches?
ie
(source=src1.log TAG1=TAG) OR (source=src2.log "some matching text") | eventstats dc(source) as source_count by SHARED_FIELD | where source_count = 1
Oh, I figured it out! I needed to include the index for the search at the beginning of the query, whoops.
Thanks for the help!
Nope, doesn't seem to be working. I'm still getting 0 events found.