I've two sources with a Name-Town-Phone list. Now I like to count the entries mentioned in both sources.
For example: Tom and Ben are mentioned in source I and II so I like the result count(mentioned_in_both)=>2
Thanks for the help.
You can do something like this
index=<your_index> source=source1 OR source=source2 | stats count by source | where count>=2
If you have both the sources in different indexes then write index=index1 OR index=index2
instead of index=<your_index>
Let me know if this helps !!
YOu would need to share your current queries using which you can search both source individually to get better answer. With information available, you can do like (assuming there are common fields between them):
(base search source1) OR (base search source2)
| stats count dc(source) as sources by Name Town Phone
| where sources=2 AND count>=2
There is no table/statistic available.
You can do something like this
index=<your_index> source=source1 OR source=source2 | stats count by source | where count>=2
If you have both the sources in different indexes then write index=index1 OR index=index2
instead of index=<your_index>
Let me know if this helps !!
Hey, this isn't a useful solution. I need a number of entries which are in BOTH sources.
e.g. Tom and Ben are in both lists, so I need the result 2.
(The index is the same)
index=<your_index> source=source1 OR source=source2 | stats dc(source) as source_count by <common_field> | where source_count=2
This will give you all the values in the common_field those are present in both the sources/lists.
index= source=source1 OR source=source2 | stats dc(source) as source_count by | where source_count=2 | stats count by ...
Thanks.
Append the two sets of data and then use eventstats to count occurrences, then filter for count.
This is assuming the data is in lookups (since you're referring to "list"). If the data is in an index, write a search that returns data from both sets (as explained in the answers of somesoni2 and mayurr98 and then again count occurrences.