Hi Team,
My question is i have antivirus events and firewall traffic and i want to run antivirus search as a subsearch with keyword "trojan", take values like ip and user information from that subsearch and then pass those two fields to main search of firewall to see at that time of detection whether traffic was present for that ip or not and what was the username field of firewall and antivirus?
My search is:
index=cisco_asa earliest=-15m [search index=bitdefender "trojan" earliest=-15m | fields src_ip, user | rename src_ip as dest_ip | rename user as bitdefender_user] | stats values(dest_ip), values(dest_port), values(url), values(user) as firewall_user, values(bitdefender_user) by src_ip
Now my challenge is after running the above query I am not getting any results but when I will run below query after removing bitdefender_user field, I am getting results but without getting bitdefender user name. I want to see both firewall as well as bitdefender username name field in the output, how to achieve that result:-
index=cisco_asa earliest=-15m [search index=bitdefender "trojan" earliest=-15m | fields src_ip | rename src_ip as dest_ip] | stats values(dest_ip), values(dest_port), values(url), values(user) by src_ip
Just for information username field present in firewall and bitdefender is "user"
... View more