Solved: comparing two fields from different indexes

deepak007 · ‎02-18-2018

I have 2 indexes which have common values in their fields
index1 has a field dest containing few values which are matching to index2 DESTIP
need to create a search query for getting the values only for the matching value of
index1 dest and index2 DESTIP

I tried
index=index1 OR index=index2 |eval destination=coalesce(dest, DESTIP)| table destination, app
and its not working

493669 · ‎02-18-2018

try this:

index=index1 OR index=index2| eval destination=case(isnotnull(dest), dest, isnotnull(DESTIP), DESTIP, 1=1, "unknown")| stats values(*) AS * by destination

OR

index=index1 OR index=index2 |eval destination=coalesce(dest, DESTIP)| stats values(*) AS * by destination

View solution in original post

niketn · ‎02-18-2018

@deepak007, you should ideally create a Field Alias so that the field name becomes the same in both indexes and can be used for correlation.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

493669 · ‎02-18-2018

try this:

index=index1 OR index=index2| eval destination=case(isnotnull(dest), dest, isnotnull(DESTIP), DESTIP, 1=1, "unknown")| stats values(*) AS * by destination

OR

index=index1 OR index=index2 |eval destination=coalesce(dest, DESTIP)| stats values(*) AS * by destination

comparing two fields from different indexes

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?