I'm having an issue with matching results between two searches utilizing the append command. I realize I could use the join command but my goal is to create a new field labeled Match.
index=type1 EVENT_TYPE=Blah1 KEYFIELD=*
| append
[search index=type2 EVENT_TYPE=Blah2
| eval KEYFIELD2=field1.field2.field3.field4
| fields KEYFIELD2]
| eval results1=if(KEYFIELD=KEYFIELD2,"Match","No Match")
| eval results2=if(match(KEYFIELD ,KEYFIELD2),"Match","No Match")
| eval results3=if(like(KEYFIELD ,"%".KEYFIELD2."%"), "Match","No Match")
Even though I know there are "matches", my results only come back as No Match.
Any assistance on this would be greatly appreciated.
↧