In my data, events can have children. There is data in those events that I would want to associate with the parent event. When I do my base search, sometimes I find events where the parent event is created outside of the global time picker window. The only way I can think to solve this is by I can join a sub-search and have the sub-search be a different time window?
My existing search is as follows:
"base search with sourcetype=A"
| rename display_value as parent_num
| join type=outer parent_num
[search "second search with sourtype=A"
| dedup number sortby -sys_updated_on
| rename priority as parent_priority, number as parent_num, u_incident_type as type,
| table parent_num, parent_priority, type, parent_assignment]
| eval type = if(parent!="*", u_incident_type, type)
This works, except when, for example, if I am looking at the past 24 hours, and the "parent" was created before. I am sure there are a number of ways to solve this, but this seems most apparent to me. I don't want to exclude the occasions when I am "missing" the data.
... View more