index="proxy_logs" category="none"
| top category, protocol, url, cs_Referer limit=1000
| eval results = if(match(upper(cs_Referer),upper(url)), "hit", "miss")
| where results="miss"
| table category, protocol, url, cs_Referer, results
Above is working thanks to a couple of posts on here.
No I want to compare the "url" field in index1 against another index2 that also has the "url" field and show the output of index1 that does not match index2.
First search looks for items that don't match in the first index.
I then want to search the search the second index and output only items that do not match the first index.
... View more