I'm new to splunk And i'm trying to add some logic to reduce false positives
I have two indexes
Index=A
index=B
Both indexes have a field that have the same data I can match on
Index A has a field (A_field_match)
Index B has matching field (B_field_match)
Both Indexes have index specific fields I would like to add together in a table for true enrichment of the data
Index A has A_interesting_field_1 A_interesting_field_2 A_interesting_field_3 A_interesting_field_4
Index B has B_interesting_field_1 B_interesting_field_2 B_interesting_field_3 B_interesting_field_4
Each Index has very helpful fields that I can search on to remove false positives if I can match on A_field_match and B_field_match from both indexes.
I have tried transaction, stats and join but I am completely lost and getting nowhere. Any help would be greatly appreciated.
↧