hello
what is the command to check if a field exists in one column but not the other?
for example, to count the "10.2.3.3" because it exists in the source column but not in the target column :
source_ |target
10.1.2.3 |10.1.2.3
10.2.3.3 |10.2.2.2
thanks
try this....
yoursearch | table source, target | where source!=target
not working ,,,,
I downvoted this post because not an answer
Although the question is 4 years old I had encountered something similar for an Alert. Please try this
| makeresults count=10
| streamstats count as temp
| eval temp1=abs(10-temp)
| eval ip1="10.10."+temp+"."+temp1
| eval ip2="10.10.7.".temp
| stats values(ip1) as ip1, values(ip2) as ip2
| mvexpand ip1
| mvexpand ip2
| where ip1 = ip2
| makeresults count=10
| streamstats count as temp
| eval temp1=abs(10-temp)
| eval ip1="10.10."+temp+"."+temp1
| eval ip2="10.10.7.".temp
| eventstats values(ip2) as tmp
| stats count(eval(match(tmp,ip1))) as count list(ip2) as ip2 values(temp) as temp by ip1
| sort temp
| fields - temp
@sidbisht your creating temp1 is interesting.
How about this query?
For comparing fields, make multi value and use match(), I think.
There won't be a straight forward command to the comparison. Try this subsearch method
your base search | where NOT [search yourbasesearch | stats count by target | table target | rename target as source] | stats count by source
not working ...
You simply want to list or you want to count as well?