How to compare fields of two different events and ...

jhonsonkelly56 · ‎07-13-2019

Eg : Event 1 : Field1, Field a, Field b
Event 2 : Field2, Fields n, Field y

How to compare Field1 of event 1 and Field2 of event2 and output put the matching event count.

woodcock · ‎07-14-2019

Assuming that there is one event that is at the end that indicates "session/transaction complete" and that your "joiner" field is host, you do it like this:

(index=source1 AND sourcetype=source1) OR (index=source2 AND sourcetype=source2)
| streamstats count(eval(searchmatch("session/transaction complete"))) AS sessionID BY host
| stats values(*) AS * BY sessionID host
| stats count AS total_session_count count(eval(Field1==Field2)) AS match_count BY host

woodcock · ‎07-14-2019

If you have a "session/transaction start" event, then do a | reverse at the top.

woodcock · ‎07-14-2019

Like this:

(index=source1 AND sourcetype=source1) OR (index=source2 AND sourcetype=source2)
| stats count AS total_event_count count(eval(Field1==Field2)) AS match_count BY <some joiner field, like host>

jhonsonkelly56 · ‎07-14-2019

Thank you @woodcock that was fantastic. I have another question, what in the above scenario what if the events come from same index and source. How do I compare field(field 1 and field2) from different events.

woodcock · ‎07-14-2019

This answer is wrong; see my new answer.

How to compare fields of two different events and if they match how to show the event count ?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!