Hi community,
I have a combined search which includes two sourcetypes. Both include a field with a username. Let's say it looks like this:
Sourcetype1 Field1:
User1
User2
Sourcetype2 Field2:
User1
User2
User3
I need the values that are present in Field2, and are not in Field1. The other way around is not of interest, so a simple count and looking at <2 is not an option. So, my search needs to reflect that User3 is a value of an event in Field2, but not a value of an event in Field1.
How do I do that within my search?
The search itself:
| ldapsearch search=(&(objectClass=group)(cn=*OMITTED*)) attrs="member"
| mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1| append [search sourcetype="*OMITTED2*" source="*OMITTED3*" *OMITTED4*=*OMITTED5*| rename *OMITTED6* AS Field2]
With many thanks!
... View more