I have two sets of data:
1. sourcetype=app "DEBUG A" function=UpdateCartItemStatus status=Rejected
2. sourcetype=app "DEBUG B" function=UpdateCartItemStatus
Set 1 (DEBUG A) also has the fields unitID1, unitID2, and user1
Set 2 (DEBUG B) also has the fields unitID1, unitID2, and user2
I would like to join data set 1 with data set 2 on unitID1 and unitID2 and get a count of the number of instances this occurs per user2. Ideally this would be as efficient as possible as the data sources are large, searches can span long periods of time, and they are constantly being refreshed. A join is not required, it was just the first thing I thought of.
I am using the dashboard editor for Splunk Enterprise.
↧