我必须用不同的标记来表示同一索引上两次不同搜索的字段差异。
第一次搜索如下:
index = main sourcetype=regression1 |eval field1 = seed
第二个如下:
index = main sourcetype=regression2 |eval field2 = seed
我尝试了以下查询,但无法达到我的要求:
|multisearch [index = main sourcetype=regression1 |eval field1 = seed]
[ index = main sourcetype=regression2 |eval field2 = seed]
|eval field3 = field2 - field1
|table field1,field2,field3
也适用于 if 条件:
index = main sourcetype=regression1 AND index = main sourcetype=regression2
|eval field1 = seed if(index = "main" AND sourcetype="regression1")
|eval field2 = seed if(index = "main" AND sourcetype="regression2")
|eval field3 = field2 - field1
|table field1, field2, field3
任何帮助都会非常有用。
谢谢
您仅在源类型为“regression1”时分配
field1field2首先,您需要确保将它们填充到各处,如下所示:
index=main sourcetype IN(regression2,regression1)
| eval field1=if(match(sourcetype,"1$"),seed,0)
| eval field2=if(match(sourcetype,"2$"),seed,0)
| eval field3=field2-field1
| table field1 field2 field3