I have email address' that are used as user names in two different source types in two different indices. I am trying to compare the two in order to find a list of matches and also the list of ones that do not match for each. I am doing something like this:
index="index1" OR index ="main" sourcetype="SessionCount" OR sourcetype="Identity" Userid=email | table Userid, email
(I just want to output matching fields with this search)
There are a lot of matches between the Userid and email -> I have run individual searches on each and compared the results. However, I receive no matches. Is there possibly an issue with the format of the strings or are there any time comparisons going on that may throw it off?