![]() I'm not 100% sure join is the correct function for this but my task is to be able to connect these different sources and be able to use the fields from the sources as if it was one big event. So version 4 of a certain OS has it's own out-of-support date, version 5 another supportdate. Each product (Operating system in this case, has an entry per version. But if a entry doesn't have a Document_Number then they all have the same incorrect data from new3Money.Īny suggestions would help. I have a list of servers, osname & version and a lookup with products, versions and end-of-support dates. All the entries with Document_Number(s) have the correct unique value. ITWhisperer scelikok soutamo saravanan90 thambisetty gcusello bowesmana to4kawa woodcock Please help here. But if the search Query 2 LogonIP<20 then, I want to join the result with Query 1 and get the result. Any event from my first file NewWFL that doesn't have a Document_Number it add the same data from one event in my third file. If the Query 2 'LogonIP' count is greater than 20 (LogonIP>20) then, I want to join the result with Query 1 and ignore the result. This is incorrect because I to get to the third source you have to have the second file to connect the two. ![]() Even so, our answers are always useful to show you the gist of what we mean and you should be able to learn the approach and modify the answers to more fully suit your data/situation. This search works but when I view my data, the join function has added some data from my third source to my first source. Keep in mind that if you fail to give us sample data, then we have NO WAY to ensure that our answers are complete. So how my data is it would be impossible for you to have a DocumentNo without a Document_Number. Here is an example: First result would return for Phase-I project sub-project processedtimestamp p1 sp11 5/12/13 2:10:45.344 PM p1 sp12 5/13/13 12:11:45.344 PM p1. I tried the below query but it results 0 events: IndexA sourcetypesignlogs outcomefailure. So I need to join these 2 query with common field as processId/SignatureProcessId. | join type=left DocumentNo [search index=Work_flow source="C:\\Users\\C754651\\Desktop\\John I am trying to join two search results with the common field project. search calculate the number of events of a field per hour per day. IndexA sourcetypeaccesslogs ->This search has a SignatureProcessId ( which is same as processId in the search1) and also it has userId. | Search index=Work_flow source="C:\\Users\\C754651\\Desktop\\John\\moneyNEW.csv" The three sources are NewWFL, MoneyNEW, and new3Money.Ĭurrently im using this search command index=work_flow source="C:\\Users\\C754651\\Desktop\\John\\NewWFL.csv" Document_Number=* So I have three sources that i need to join together to view as one event.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |