I think I am misunderstanding...lots of things. First, I am sure entirely sure how to get the output I'm looking for. I am having to search across these two indexes and ideally display fields from both in an email or something for alerting purposes.
In your example above, you have the searching of the dhcp index in the subsearch, but isn't the subsearch performed first? If so, I would need to reverse that order. Also, I've read the join command documentation but I am still unsure how that data is displayed upon a successful join.
My order of operations is something like this.
1.) index=firepower AccessControlRuleName="Block Bittorrent" (The "SrcIP" field in this search result is what I'm most interested in and is what I need to search the dhcp index, however I would like to take other fields from this search and ultimately display them in the final alert.)
2.) index=dhcp "Renew" (I am not sure how to search this WITH the SrcpIP field above)
3.) Return the combination of fields from both of these searches.
I've done a lot of messing around with this and this is the closest I've gotten is with this search....
index=dhcp "Renew" [search index=firepower AccessControlRuleName="Block Bittorrent" | dedup SrcIP | fields + SrcIP | rename SrcIP as ip] | dedup ip | table ip, nt_host
However, I have a couple issues. First, this only returns one value in the end, which appears the be the most recent entry. If I swap "fields" with "return" to try and have it return more results, I just get No Results Found. Second, when I am building my table at the end, I am unable to populate the table with events from the subsearch, which is something I need to do.
Any help would be much appreciated.
... View more