Hello all, I have two search strings that pull information - one pulls all the blocked emails and the second pulls the emails blocked due to the rule it was blocked on and the file name. I would like to combine these searches so that the table has the additional "File Name" field whenever the rule the email is being blocked on is a certain value. Search 1: index=index_name sourcetype=sourcetype_name | stats count by _time, email_domain, rule_name, email_ID Search 2: index=index_name sourcetype=sourcetype_name rule=hasFile file_name=* | table _time, email_ID, file Note: Both searches have the email_ID that match and I've been trying to use that value to no avail. Thanks in advance for the assistance!
... View more