Hello Guys,
i have 2 Index index a and index b
on index a i have a field called nachrichtId
on index b i have a field called originalId
this both fields have the Same string (Value)
i want to write now a Search where i can found out if i have some nachrichtId events on Index a but no originalId on index b.
I want to find out if i have some problems with my Events or if i have a gap between this 2 Indexes
can anyone help me please Thank you 🙂
Hi @mklhs,
If you're value is already in a field lets call it field_value
you can run a search as follows :
index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2
If the value is not extracted and its the whole event you wish to compare then you can use the _raw
field:
index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2
Let me know if that helps.
Cheers,
David
Hi @mklhs,
If you're value is already in a field lets call it field_value
you can run a search as follows :
index= nachrichtId OR index=originalId
| stats dc(index) as condition by field_value
| where condition<2
If the value is not extracted and its the whole event you wish to compare then you can use the _raw
field:
index= nachrichtId OR index=originalId
| stats dc(index) as condition by _raw
| where condition<2
Let me know if that helps.
Cheers,
David
Thank for your Answer but i dont know if this is right for me
I have 2 indexes
in index 1 i have an event with a field named Nachrichtentid
this field has the value foobar
in index 2 i have an event with a field named OriginalId
this field also has the value foobar
I want to find out which events are not forwarded by index 1 and index 2, so where events are missing here. In both indexes the events have only these 2 fields as unique value.
First you need to make sure that this ID has the same name in both indexes to make it easier to join without using the join
command. So first create an alias, call it joinID
or something. Then run the search below :
index=index1 OR index=index2
| stats dc(index) as condition by joinID
| where condition<2
This will fetch data from both indexes and see which ID is in less than 2 indexes.
If you also wish to know which index has the missing event, you can run the following:
index=index1 OR index=index2
| stats dc(index) as condition, values(index) as index by joinID
| where condition<2
Thats works for me Thank you for your Help
you're welcome !