ok so...I have been banging my head against the wall on this one for a bit. I have tried using join (which I don't and can't use because the second search needs to return all results, more than 50k events), tried appends commands, union and a few others. I may be missing something or it just may not be possible.
Currently I am working with | multisearch and both searches return results but the second search is not populating the field (territory) based on the hits from the first search. The results look like this and the territory column goes on for a few pages. This will be run on a 24hour run cycle btw, that's the reason I can not use join, a 24 hour run on that second search does not return all results due to the join cap.
As you can see my problem - trying to just return results for that territory if it matches a hit from the first search.
This is what I am currently running and what it outputs above:
| multisearch
[ search index=mft_prod* sourcetype=UploadedDocumentsPath RecipientAddress!="company.com" (RecipientAddress="@gmail" OR RecipientAddress="@live" OR RecipientAddress="@yahoo" OR RecipientAddress="@aol" OR RecipientAddress="@hotmail" OR RecipientAddress="@outlook" OR RecipientAddress="@Verizon" OR RecipientAddress="@comcast" OR RecipientAddress="@icloud" OR RecipientAddress="@mail.ru")
| eval Total_MB_Size=round((fileSize/1024/1024),2)
| where Total_MB_Size > 100
| fields Total_MB_Size, SenderAddress, RecipientAddress]
[ search
index=snow_glbl sourcetype=snow:sys_user earliest=-5d@d
| fields dv_email, dv_u_territory]
| eval dv_email=SenderAddress
| table SenderAddress, RecipientAddress, Total_MB_Size, dv_u_territory
Any ideas what I am missing or doing wrong with this one?
... View more