I'm trying to create a search to validate two files match on a given field.
I want to check the all the event numbers (a field in the event) in one log file (source1) match to another log file (source2) (event timestamps are identical between log files).
In Splunk I have fields log1_num (source1) and log2_num (source 2) representing the event numbers I am looking to match on. I know I need to run a sub-search to separate the sources first, but my question is how do I then match on fields?
Thanks!
Hello
Try with join like:
yoursearch | join _time [subsearch] | eval to compare fields | ...
Given that the timestamp are identical in both sources
Regards
Hello
Try with join like:
yoursearch | join _time [subsearch] | eval to compare fields | ...
Given that the timestamp are identical in both sources
Regards