this is the query I am using and in that when I am matching the fields = splunk does not match with the list..
any solution over there?
host=abcd "Providing took" | rex field=_raw "request\s(?[^.\s]+)" | dedup ReqP | stats by ReqP
| appendcols [search host=abcd "IdGenEndpoint - 110; Confirming ids" | rex field=_raw "request\s(?[^\s+w\s]+)"
| dedup ReqC ]
| eval ReqPP=tostring(ReqP) | eval ReqCC=tostring(ReqC) | eval ReqCC1=rtrim(ReqCC, ".") | dedup ReqCC1
| eval Status = if(match(ReqPP,ReqCC1 ), "MATCH", "NO MATCH")
| table ReqPP, ReqCC1, Status, _time
need something like vlookup
sample ReqPP - 03af9a57-7820-4ff8-b78d-370cdffdbafd
... View more