Hello,
I have 2 different searches for 2 different sourcetypes with field extractions. I'm doing the field extractions for search1 for xml data.
search1:
sourcetype=xmlapp | xmlkv
search2:
sourcetype=app2
I'd like to combine searches in such a way that when field2 from search2 does NOT match any existing field1 from search1, I need to create an alert. Any help is greatly appreciated.