From one single index, there contains the following four fields, *Source, Name, EquivalentName* (part of the records under *EquivalentName* having the same data as the field, *Name*) and *Result*.
*Source Name EquivalentName Result*
A 1$ [blank] [blank]
B 2$ [blank] [blank]
C 2$ [blank] [blank]
D 5$ [blank] [blank]
[blank] [blank] 1 X
[blank] [blank] 2 Y
[blank] [blank] 3 Z
[blank] [blank] 4 W
The end result: I would like to retrieve the list of *Result* when searching for a list of *Source* name.
My query looks like this
index=INDEX1 Source_Address="xx.xx.xxx" |rex field=Name mode=sed "s/\$//g" |table Source, Name |dedup Name|join Name[|search index=INDEX1 |where condition |rename EquivalentName as Name] |table Name, Result
I do not get any results from this. However, when i break down the codes into two queries and retrieve 'manual', i am able to find some results. Not sure what went wrong. Kindly advise, thanks!
↧