whoops - updated answer ....

Nick thanks for the help. Here is the search I used

sourcetype="bcoat_proxysg" action!=TCP_DENIED [ sourcetype=IDS "MALWARE-CNC" | fields src dst | dedup src dst | rename src as src_ip dst as dst_ip ]

I get this error "Search operation 'sourcetype' is unknown. You might not have permission to run this operation."

rename should do that.

Assuming it's dst and dst_ip on the destination side, it's as follows:

sourcetype=proxy action!=DENIED [ sourcetype=IDS "MALWARE-CNC" | fields src dst | dedup src dst | rename src as src_ip dst as dst_ip ]

Also using the transforms I have in right now the IDS uses "src" for the source IP and the proxy uses "src_ip".

How would I right the search to convert the IP from one tag to another for the subsearch?

When a subsearch is processed, it's the inner subsearch that is run first, so in jonuwz's example, the malware-cnc search is processed first, and it's only the src and dest ip's of the malware search IP's that are then searched for in the proxy data.

If I get the IDS alert and it is not denied by the proxy then an exploit is at hand. If the traffic is denied I can look at it later and don't need the alert right now.

So the !DENIED will generate an event that I can alert on.

If you are looking for just one, then why use "NOT DENIED"? Instead you can use that same value to search on. Try to create your searches in as positive as possible manner. It will help in performance.

So why do I put the proxy search first? there are lots of "Not DENIED" logs to look through and I am only looking for one. Why not find the IP in IDS and pass to the proxy search?