I have two indexes that contain the same ip address but only one index contains hostnames for the ip addresses. How can I search and match the ip addresses from both indexes in the same query and table out each ip address with their corresponding hostname?
Hi cald0002,
Give this a try:
(SPL to get events from index 1) OR (SPL to get events from index 2)
| stats values(hostname) AS hostname by ip
You might need to adapt the query to match the hostname
and ip
fields according to your events.
hope this helps ...
cheers, MuS