Hello,
I want to compare results of 2 searches, I am using a subsearch and a join
index=1 | table field1 | eval a=field1| join type=left a [ | search index=2 |table field2 | eval a=field2 | fields -a
Problem is that field2 doesn´t have all the values of field1 and I want to check which values are present and if they are equal.
Should look like that:
Field1 Field2
value1 value1
vaule2 value2
vaule3
vuale4 value4
For now I just got it work by comparing both fields with the new field a. Is there a way to get that done more efficiently?
Thank you
↧