Thanks, I've been trying to sort through this and I found the field issue. If I break down the search and start with the first one:

index="my_records" gw_action=Allowed user="@" |dedup record_id | table time_seen, category, crime_server, gw_action, src, record_id

This returns the records I want but doesn't have the information from the windows event log. So, I stayed with the join and set the join on the Logon_Account because both the wineventlog and my_records have this field

index="my_records" gw_action=Allowed user="@" |dedup record_id | join type=inner "Logon_Account" [search index=wineventlog] | table time_seen, Logon_Account, Source_Workstation, category, crime_server, gw_action, src, record_id

Now I'm getting the same fields returned but the extra fields I have added from the wineventlog (Logon_Account, Source_Workstation) are not populated in the table

Any ideas why this is please?

Thanks in anticipation

I don't see a common field between those two search (from the first search no field with name "Logon_Account" is returned). To be able to apply join (or any other alternative), you need a common field with exact same name. If the name is not same but the common field exists, you can rename the common field in one of the search to match other and do the join with common named field. I would also suggest to do some aggregation before you join (in both the search. This is a run anywhere example of how join can be done.

index=_internal earliest=-4h  | stats count by index sourcetype | join type=inner index [search index=_internal source=*metrics.log group=per_index_thruput earliest=-4h | stats sum(kb) as kb by series | rename series as index ] | table index sourcetype kb

So what you need is to find a field from my_records which has same values as field Logon_Account, rename the field from my_records to Logon_Account (as that's the final name you want in your result) and then do the join.

Thanks for your help, I should have seen the field name issue!

I've managed to sort this out using:

index="my _records" gw_action=Allowed user="*@*" |rename user TO Logon_Account | join type=inner Logon_Account [search index=wineventlog] | table time_seen, Logon_Account, Source_Workstation, category, crime_server, gw_action, src, record_id

However some checks I made suggested the join was not working correctly as running separate searches in my_records and wineventlog showed users appearing in wineventlog which didn't appear in the joined search. Further investigation showed the Logon_Account was sometimes partly in lowercase and sometimes partly in uppercase (e.g. ACCOUNT.NAME@mydomain.net).

I have tried using eval ln=lower(Logon_Account) and then renaming the field to ln like so

index="my_records" gw_action=Allowed user="*@*" |rename user TO ln| join type=inner eval (ln=lower(Logon_Account) [search index=wineventlog] | dedup record_id| table time_seen, ln, Source_Workstation, category, crime_server, gw_action, src, record_id

or

index="seculert_records" gw_action=Allowed user="*@*" |rename user TO ln| join type=inner Logon_Account [search index=wineventlog |eval ln=lower(Logon_Account)] | dedup record_id| table time_seen, ln, Source_Workstation, category, crime_server, gw_action, src, record_id

But neither of these seems to work as the Source_Workstation is not populated where as it is for the first search but only for some records.

Any ideas where I'm going wrong please?

Thanks