Hello,
I have events that are emitted by many parters to 4 different servers
My goal is to find events for each partner that are received on two servers but NEVER on the others (and vice versa).
Actually, I'm doing a search for events that match with server1 or server2. Then, I do another search for events that match with server3 or server4. And finally I export everything in a CSV and I am doing the list of partners that are only present on one of the groups
What I am trying to obtain is like an SQL "Full Join without intersection"
My actual search is like :
index="XXX" Direction=I Gateway=server1 or server2| stats count by Partner
Is it possible to obtain what I need in an only search ?
Thank you
@zebu14
Can you please try below search?
| YOUR_FIRST_SEARCH | stats count by Partner | rename as Partner1
| appendcols
[
search | YOUR_SECOND_SEARCH | stats count by Partner | rename as Partner2
]
| eventstats values(Partner2) as Partner2_All values(Partner1) as Partner1_All
| eval Partner1_in=if(isnull(Partner1),"1",mvfind(Partner2_All,Partner1)), Partner2_in=if(isnull(Partner2),"1",mvfind(Partner1_All,Partner2))
| eval Partner1=case(isnull(Partner1_in),Partner1), Partner2=case(isnull(Partner2_in),Partner2) | table Partner1 Partner2
Hello,
Thanks for your proposal.
I obtain two columns in which some partners are common and others are not...
It doesn't seem to work.
Maybe I didn't explained my need correctly.
If i consider two columns 1 and 2 :
1: 2:
AAA AAA
BBB CCC
CCC EEE
DDD
I want the search to give me this answer
BBB
DDD
EEE
And not the events thare are present in each colomn (or independant search)
Maybe it is possible to do through the function "Join type=outer" but I can't find a suitable syntax for my search job.