Comparing source categories

Comments

3 comments

  • Avatar
    Olaf Stein

    Hi Chaitanya,

    you can bring in two or more sourcecategories into a query:

    (_sourceCategory=a or _sourceCategory=b)

    Are the fields in question already extracted? If you give me a bit more detail about what kind of comparison you are trying to do I can help you further.

     

    Thanks

    Olaf

     

     

    0
    Comment actions Permalink
  • Avatar
    Chaitanya Swamy krovvidi

    Thanks for your quick reply Olaf, yes few fields which are needed has been parsed so now I want to compare fields among the categories.

    For example _sourceCategory=a has two fileds (IP, URL) and _sourceCategory=b has two fields (srcIP, username) so based on the IP and srcIP fileds I'm looking to pull out username.

    Thanks.

    0
    Comment actions Permalink
  • Avatar
    Olaf Stein

     

    The main operator to accomplish this is the join operator:

    https://help.sumologic.com/Search/Search_Query_Language/Search_Operators/join

    This would look something like this:

    (_sourceCategory=a or _sourceCategory=b)
    | join
    (parse ip, url from sourcecategory a) as table1,
    (parse src_ip, username from sourcecategory b) as table2
    on table1.ip=table2.src_ip
    | fields table2_username

    Let me know if you have any questions

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.