Hi All,
I have a scenario to combine the search results from 2 queries. For Type= 101 I don't have fields "Amount" and "Currency", so I'm extracting them through Regex in separate query. I can't combine the regex with the main query due to data structure which I have. At the end I just want to display the Amount and Currency with all the fields.
1st query:
sourcetype=abc | table Currency, Amount, Address, Type
2nd Query:
sourcetype=abc | rex field=_raw max_match=0 "(:32B:(?.{3})(?.[^\n]+))" |where Type=101|eval fields = mvzip(Curr,Amnt,"#") | mvexpand fields | rex field=fields "(?\w+)#(?\S+)"
Other than 101 Type all other messages are having Amount and Currency fields. I just want to combine both results.
Thanks.
↧