How do i compare two different fields , with the same name, from two different sourcetypes?
I am trying to check one data source against another, but I seem to only get results from a single source
I tried two approaches and neither works. I believe because it is because the field has the same name.
The field is dest:
First attempt:
(index=A sourcetype="A") OR (index=B sourcetype="B")
| dedup dest, sourcetype
| stats dc(sourcetype) as sourcetypes by dest
Second attempt:
(index=A sourcetype="B") OR (index=A)
| stats dc(index) as occurrence by dest
| where occurrence < 2
I think that you can compare in the first attempt.
Try this!
(index=A sourcetype="A") OR (index=B sourcetype="B")
| stats dc(sourcetype) as occurrence,value(sourcetype) as sourcetypes by dest