I have to represent difference of fields from two different searches on same index with different tokens.
The first search will be as below:
index = main sourcetype=regression1 |eval field1 = seed
and the second is following :
index = main sourcetype=regression2 |eval field2 = seed
I tried following queries but not able to achieve my requirement:
|multisearch [index = main sourcetype=regression1 |eval field1 = seed]
[ index = main sourcetype=regression2 |eval field2 = seed]
|eval field3 = field2 - field1
|table field1,field2,field3
also with if condition:
index = main sourcetype=regression1 AND index = main sourcetype=regression2
|eval field1 = seed if(index = "main" AND sourcetype="regression1")
|eval field2 = seed if(index = "main" AND sourcetype="regression2")
|eval field3 = field2 - field1
|table field1, field2, field3
Any help will be very useful.
Thanks
You are only assigning field1 is the sourcetype is "regression1" and field2 if sourcetype is "regression2". You can never subtract those, since they do not exists in the same events.
First you need to make sure to populate them everywhere like this:
index=main sourcetype IN(regression2,regression1)
| eval field1=if(match(sourcetype,"1$"),seed,0)
| eval field2=if(match(sourcetype,"2$"),seed,0)
| eval field3=field2-field1
| table field1 field2 field3