![]() ![]() STEP FOUR: Roll the information from the time-oriented record to the other using streamstats, then throw away the records. | fields index host user field1 ip field2 OR another way is this: sourcetypetyp1 eval Number Number1 join typeouter Number search sourcetype. (index=foo1 host=* ip=*) OR (index=foo2 ip=* user=*) I found a solution now It looks like this: sourcetypetyp1 eval Number Number1 join typeouter Number search sourcetype type2 eval Number Number2 search NOT Number2. The left-side dataset is sometimes referred to as the source data. The left-side dataset is the set of results from a search that is piped into the join command. I have two sourcetypes that have a field that does not have the same name in both places (but has the same values) i) sourcetype'alphalog' ModuleNum dedup ModuleNum ii) sourcetype'betalog' MNumber table MNumber. I looked at the code and the question and does not seem like the two are in sync Seems like the requirement is for full outer join not just. Use the join command to combine the left-side dataset with the right-side dataset, by using one or more common fields. ![]() Two files with one common field between two, but the relevant value of one of them changes over time, and you need to get the right one.įile1 index=foo1 with fields _time host ip field1 junk1įile2 index=foo2 with fields _time user ip field2 junk2 In Simple words join type outer when query before join command runs for last 15min and query after join runs for specific timestamp, all the services from last 15 min must be present in the result.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |