I have the following query:
index="IPSType1" | append [ search index="IPSType2"] | rename attacker as src_ip| top src_ip limit=75 | fields src_ip count description risk_warning risk_suspicious
I have verified that I get the combined query total equals what each separate query finds. And I am seeing the breakdown down of IP addresses and count...BUT I am not seeing anything for description, risk_warning, or risk_suspicious.
I have tried adding: "|rename risk_warning as description| rename risk_suspicious as description |" as well, but that does the same thing.
index="CiscoIPS" NOT (some stuff to eliminate internal internal IP ranges) | rename attacker as src_ip | append [ search index="netwitness" NOT (some stuff to eliminate internal IP ranges)| rename risk_warning as description| rename risk_suspicious as description ] | geoip src_ip | stats count by src_ip, description, index, geo_info |sort -count | head 100
index="CiscoIPS" NOT (some stuff to eliminate internal internal IP ranges) | rename attacker as src_ip | append [ search index="netwitness" NOT (some stuff to eliminate internal IP ranges)| rename risk_warning as description| rename risk_suspicious as description ] | geoip src_ip | stats count by src_ip, description, index, geo_info |sort -count | head 100
So, I used the suggestion to use stats instead of top. I also figured out that I needed to do my renames within each search string as opposed to doing it after the two search strings (like I did in my original question).
I noticed that there were originally 3 people who responded to my question (as indicated via email) but there was only one post when I started initially responding. Not sure why you would delete your post. But anyway, thanks to those that responded!
Use of the top command removes all but the selected field and the count and percent fields. In any case, even if it preserved them, it would be necessary to specify which description you're looking for, as each src_ip could in principle have a different one.
You might rewrite as:
index=type1 OR index=type2 | stats first(description) as description, first(risk_warning) as risk_warning, first(risk_suspicious) as risk_suspicious, count by src_ip | sort - count | head 75
Also, looking at the data that is found, none of the IPS data shows up in the output (even though it is show on the side in the field discovery. So, I would assume that "attacker" must be changed to "src_ip"...which I would assume I would use "rename attacker as src_ip". If that is true, where to place it?
This works to some degree. The issue is that one index is netwitness and it labels the source as "src_ip" and uses "risk_" to indicate the type of attack. The IPS uses "attacker" as the source and uses "description" to indicate the type of attack.
When I run the search as you provided, description shows up as a column header, but there is not data listed. Looking at the fields to the right, it indicates that both indexes are used and that there is data in the description field.
I would think that, even if the attack/src_ip are the same, that both description and risk_ would be shown?