I want to use the clientip field of an access_combined log to get the reported username from a bigfix search.
The bigfix search I am using is:
search index=bigfix sourcetype="software_inventory" | makemv delim="," src_ip | mvexpand src_ip | table src_ip, host, user_name
How would I go about correlating clientip to src_ip and adding the user_name field without having to build a csv and setup an automatic lookup.
Thanks!
try a join.
mysearchonaccess_combined | table fieldA fieldB | join fieldB [ search mysearchonbigfix | table fieldB fieldC ]
Remark : the join will not go over 10 000 results for the sub search to try to limit your scope or regroup your results.
try a join.
mysearchonaccess_combined | table fieldA fieldB | join fieldB [ search mysearchonbigfix | table fieldB fieldC ]
Remark : the join will not go over 10 000 results for the sub search to try to limit your scope or regroup your results.
Worked beautifully! Thanks!