I am trying to find a way to have a subsearch display all the raw data that leads up to the final result. In my instance I am searching for DMCA violations and I search across our firewall for the NAT translation, then our DHCP scope for the MAC address and finally out authentication server for the username. For documentation purposes I need to have all the raw logs that lead up to the username.
Below is my current subsearch: [search sourcetype=dhcpd [search sourcetype="netscreen:firewall" ip=$SrcIP$ port=$Port$ | top limit=5 src | fields + src | rename src as search] | top limit=5 src_mac | fields + src_mac | rename src_mac as search] sourcetype="cisco_acs" | top User_Name limit="5"
Ideally I would like a report that shows something like
Username: xyz
NAT Translation: raw logs
DHCP: raw logs
Auth: raw logs
I think you just need to add something like this (assuming 3 the categories you list directly map to sourcetype
😞
... | stats list(_raw) by username,sourcetype