in my search contcxtid and sourceSession has the same vales but indexing in to different places how could i compare the 2 field values and want to display the command filed values
index=mapps sourcetype=iis host=* earliest=-1h@m|dedup ContextId |table ContextId |join type=inner ContextId [search index=gateways source=http:ClientLoggingProd message.application="samrts" earliest=-1h@m | dedup "message.sourceSession" |rename message.sourceSession as sourceSession] |eval nodiff=if(match(sourceSession,ContextId),"ContextId",NULL)
Assumptions: you want the last record from each message.sourceSession from index=gateways, that has a ContextId in index mapps for the same time frame.
It is important to note that you aren't using any information from the mapps
index other than the presence of a record, so getting the latest is not needed - if any record exists in index mapps
for a ContextId
, then you want the corresponding latest record from the other index.
Try this...
earliest=-1h@m
(index=mapps sourcetype=iis host=* ) OR (index=gateways source=http:ClientLoggingProd message.application="samrts" )
| rename message.sourceSession as sourceSession
| fields index ContextId sourceSession (and whatever else you need)
| eventstats max(eval(case(index="mapps",1))) as mappfound by ContextId
| where mappfound=1 and index="gateways"
| dedup sourceSession
I would do like this (gives list of common ContextId values between two data sources of yours)
(index=mapps sourcetype=iis host=*) OR (index=gateways source=http:ClientLoggingProd message.application="samrts") earliest=-1h@m | eval ContextId=coalesce('message.sourceSession',ContextId) | stats count by ContextId | table ContextId