I am using two searches
Search1 search 2
1 1
2 2
3 3
5 4
Using set diff gives me the result. Dont want to use join.
set diff [search index=ABC sourcetype=PQRS| stats count by x_orderno | fields - count]
[search index=DEF sourcetype=WXYZ| stats count by x_orderno | fields - count]
x_orderno
5
4
I want the result as
x_orderno sourcetype
5 PQRS
4 WXYZ
Kindly suggest.
TIA
↧