i have to searches :
1) index=symantec_sep sourcetype="symantec:ep:scan:file" | dedup dest |table dest | sort dest
2) index=os_windows Workstation_Name="*"| dedup Workstation_Name | table Workstation_Name | sort Workstation_Name
both shows the workstations in environment (1st named as dest from symantec sep) & (2nd is named Workstation_Name).
i need to run as earch to compare the results of both searches, remove duplicates and show me only missing machines:
ex:
1st search result is:
dest
abcd1020
fgh123
bnm1n1
2nd search result is:
Workstation_Name
kil123
abcd1020
fgh123
result should show two columns named (dest) and (Workstation_Name) and showing only missing machines in both, like:
dest
bnm1n1
Workstation_Name
kil123
thanks for your help in advance guys ..................
↧