How do I merge search results for this problem:
Search 1 contains Field A, Search 2 contains Field B. Want to merge searches by host, time, and Field A = Field B
What I have so far is:
index =index value sourcetype = sourcetype value host=host value "Search 1" OR "Search 2" |transaction host startswith="Search1" endswith="Search2" maxspan=3s
Gets me sorta close, but I still have a mismatch with Field A and Field B.
I need correlate the results of the searches by host, time, Field A and Field B matching.
Any ideas?
... View more