My set diff query compares the values of one field from two different hosts and outputs a list of the field values that are unique to one host or the other. However, I can't seem to find a way to also display the host name alongside the output. I am trying to get a list of values that are unique to one host and know which host they have come from.
The query follows this format:
| set diff [index=example sourcetype=example host=host1 | table FIELD] [index=example sourcetype=example host=host2 | table FIELD]
It will then output a list of values for that field that are unique to one host or the other, but I have no way of knowing which host they are unique to. If I include host in the table part of the subsearches it will return all entries, since the host is different in all cases.
I'm looking for something like this
Field host
1234 host1
5678 host2
9101 host1
2345 host1
Any suggestions?
Thanks!
... View more