search1 displays :-
user field1 field2 field3 field4
A
B
C
D
Search2 displays :-
user field3 field4
B
C
D
E
Now both the searches has a common field user. Is there any way that I can display the user list who were in both the search 1 and search 2 something like as below
user
B
C
D
Hi pavanae,
try something like this
(your_search1) OR (yoursearch2) | eval user=lower(user) | dedup user | table user
Bye.
Giuseppe
The accepted solution does NOT do as you indicated (it does a full join, not an inner join). Do an inner-join like this:
(your_search1) OR (yoursearch2) | eval user=lower(user) | stats dc(sourcetype) AS sourcetypes values(*) AS * by user | where sourcetypes=2 | table user
Try this
(index=idx1 sourcetype=st1) OR (index=idx2 sourcetype=st2) | eval user=lower(user) | eventstats dc(sourcetype) as st by user | where st=2 | rest of your query here.
Hi pavanae,
try something like this
(your_search1) OR (yoursearch2) | eval user=lower(user) | dedup user | table user
Bye.
Giuseppe
This does full join, not inner join; see my answer.
You can "join" both searches:
yoursearch1 | fields user | join type=inner user [ yoursearch2 | fields user]