This got me very close to the right solution. Here's what I ended up with.
(search that builds sanitized search records) | eval mac=coalesce(sourceA_mac sourceB_mac) | transaction mac maxpause=300s | stats values (*) by computername mac sourceA_mac | table dhcp_hostname mac
(will work on the timestamp next, but that's trivial.)
So to break it down--
eval mac=coalesce() adds a field to each set of records "mac" so that the mac address can be found within one common field (in addition to the individual fields they were stored in previously.) You can't use rename here because the second rename clobbers the first.
transaction mac maxpause=300s This says that if you have two records with matching mac fields within 5 minutes, join the fields (without the computationally expensive join command.) This is close enough for my report.
stats values (*) fieldA fieldB this is basically a test to ensure that the fields are non-null. By looking at computername and SourceA_mac, I know that it's a validly joined field. The original dataset wouldn't have both the computername and sourceA_mac fields together unless they've been joined by the transaction command. This effectively discards all fields that don't match those. I also pass mac through this command because I want it in my table.
table - should be self explanitory. I don't show sourceA_mac since it's redundant
I know that's long-winded but this query took me a while. Hopefully this might be of help to others.
... View more