So i have logs coming from two different applications. They both both track certain customer requests. They both have a unique id associated with different run throughs. The second app will have a subset of the first apps id's. What i want to do is make a table that has information about all the id's that are in the first search but not in the second. I can use the diff command to get all the unique id's but that only works when i have the same row format in each table. I want other information other than the id's the the second search does not track. Here's my diff search.
| set diff [search tag=app1| dedup mdc.id| rename mdc.id AS "Unique Id" | table "Unique Id"] [search app=app2 | dedup artifacts.tracker.id| rename artifacts.tracker.id AS "Unique Id" | table "Unique Id"]
Thanks for any help you can give.
↧
Search based on two searches where one field from one search subtracts results from the other search
↧