Hello
I have an index called ‘RDIIS’ with 4 fields named SourceIP , UserSID , DestIP and Host.
Important to know is that UserSID refers to the SID of an active directory user.
I also have a second index ‘ADdump’ with 2 fields UserSID and Username.
Can I combine somehow the two indexes and have this table, so that the UserSID gets associated with the wright Username?
“| Table _time , Host, SourceIP, DestIP , UserSID , Username “
Like this:
(index="RDIIS" AND index="ADdump")
| stats values(*) AS * BY UserSID