EDIT: Nevermind, I was just being dumb. It seems no matter how I search by field3 value that triggered on field1, field 2 doesn't exist. For some reason I thought it did.
I have an interesting issue I'm trying to solve and I've hit a road block at this point.
Basically what I'm trying to accomplish is take the output of search1 , append search2 , and then match by both by field 3 since it exists in both searches.
Search1 and search2 have the same index, but produces mostly the same fields however there's a few that are not present on one search that the other has and vice versa. Let's call those field1 and field2 . EDIT: Field 1 only exists in search1 and Field2 only exists in search2 .
This is my current query:
index=s_index1 string field1="value" OR field1="value" OR string field3!="value" | transaction field3 | append [search index=s_index1 string field2="*" | transaction field3] | transaction field3 | table _time, field4, field5, field3, field6, field1, field2
This is currently not working to the full effect I'd like, It seems most of the data is there but it's not correct/interpreting it correctly.
I normally use eval to match the two separate fields with the same/or separate data is there a way to use eval in a way to match on searches?
Such as | eval search 1 field3=search 2 field 3 or is there a way to do this that I'm simply missing? Should I be using the join command instead of append? Any help would be greatly appreciated.
... View more