Hello !
I launch a query with append to put the results of two query together on different field but then i would like to remove the duplicate on these results :
First LOG :
24/05/2016 11:33:19,719 (...) service id : one
one is the value of the field "Service"
Second LOG :
24/05/2016 11:38:33,688 (...) service id : two
two is the value of the field "state"
The two logs are written differently and these two service id have two different name field on Splunk.
I've append the two results :
index=XXXX com="*xxxx*" service=* | append [ search
index=XXXX com="*xxxx*" state=* ]
| where state!= service |stats list(state)
And i try with "where" to show the list but without success!
Any help is welcome :D
Thanks !
↧