I need help figuring out the best way to get the information I want in one query.
I have indexA with sourcetypeA, sourcetypeB and sourcetypeC. I also have indexB with sourcetypeD.
I input two values to search for within sourcetypeA. The results will give me three fields that I need to use to search the remaining sourcetypes. I want the results return the raw events for all instances that are found.
basically - sourcetypeA contains field1, field2, field3
sourcetypeB and sourcetypeC contain field1, field2, field3. But I need the output from sourcetypeA (field1, field2, field3) in order to search sourcetypeB and sourcetypeC for matching fields.
sourcetypeD contains field2 and field3 - I need the output from sourcetypeA or sourcetypeB to search for field2 and field3 in sourcetypeD
Here is what i have tried and only gotten part of what i want. (there have been numerous attempts to figure this out).
sourcetype=logA input1=NAME input2=ADDRESS | join type=outer field2 [search sourcetypeD]
... View more