Hello,
I'm trying to compare a host field from two different sources. I've managed to do that with the following serach :
source="/home/conf/admin/log/nouveaux_clients.txt" OR source="WinEventLog:Security" | eval common_host=coalesce(hote, host) | stats dc(source) as occur by common_host | where occur>1
This gives me a table with all the fields that exist in both. However I'm trying to find a way to show what is in my first source but isn't in my second.
Hope I was clear enough 😉
Ok, this will solve the 'exists only in first' problem.
source="/home/conf/admin/log/nouveaux_clients.txt" NOT [search source="WinEventLog:Security" | dedup host | rename host as hote| fields +hote]| stats values(hote) as only_in_first
/K
I'd say on the same it would be ideal but then if it's not possible we'll manage with two different searches 😉
Did you want a separate search with its own table, or did you want to modify this search to also include what is in the first by not in the second?