I have 2 indexes which have common values in their fields
index1 has a field dest containing few values which are matching to index2 DESTIP
need to create a search query for getting the values only for the matching value of
index1 dest and index2 DESTIP
I tried
index=index1 OR index=index2 |eval destination=coalesce(dest, DESTIP)| table destination, app
and its not working
try this:
index=index1 OR index=index2| eval destination=case(isnotnull(dest), dest, isnotnull(DESTIP), DESTIP, 1=1, "unknown")| stats values(*) AS * by destination
OR
index=index1 OR index=index2 |eval destination=coalesce(dest, DESTIP)| stats values(*) AS * by destination
@deepak007, you should ideally create a Field Alias so that the field name becomes the same in both indexes and can be used for correlation.
try this:
index=index1 OR index=index2| eval destination=case(isnotnull(dest), dest, isnotnull(DESTIP), DESTIP, 1=1, "unknown")| stats values(*) AS * by destination
OR
index=index1 OR index=index2 |eval destination=coalesce(dest, DESTIP)| stats values(*) AS * by destination