I have a bunch of events in one index. The events are divided by sourcetype, for example:
sourcetype=foo | fields from, to (about 5 million events)
sourcetype=bar | fields from, to (about 2 million events)
These searches return the results:
1. from=A , to=B
2. from=B , to=C
So the question is how to join the above results to get a table:
from to
A C
........
A{n} C{k}
... View more