So I have 2 separate indexes with both having ip-addresses as events.
On index A the ip-addresses are under **ipaddr** field and on index B the ip-addresses are under **host_ip** field.
What I want to do is to a) compare b) evaluate those fields (content) together.
I tried several tricks available on Splunk Answers and its always missing some pieces or not suitable for this use.
**index=a-index OR index=b-index | search ipaddr, host_ip | eval results = if(match(ipaddr,host_ip)), "hit", "miss")** - does not work.
Eventually, I dont need yet to know if there is miss or hit - I just find to find there IS similar ip addresses on both.
Ideas?
↧