Hi,
Wondering if anyone can help.
I am trying to create a new field called FS_Owner_Mail using |eval from both the mail and FS_Owner existing fields but not too sure how to work it into the below search.
index=varonis sourcetype=xxx:varonis:csv:reports
| eval User_Group=replace(replace('User_Group',"xxxxl\\\\","")," ","")
| join type=left User_Group
[ search index=ad source=xxx_adgroupmemberscan memberSamAccountName="*_xxx" earliest=-48h
| dedup groupSamAccountName, memberSamAccountName
| rename groupSamAccountName as User_Group, memberSamAccountName as Member
| join type=left Member
[ search index=ad source="xxx_aduserscan" samAccountName="*_xxx"
| dedup samAccountName
| rename samAccountName as Member
| table Member, displayName, mail]
| stats values(Member) as Member, values(displayName) as DisplayName, values(mail) as Mail by User_Group
| eval User_Group=replace(replace('User_Group',"_xxx","")," ","")]
| table Access_Path Current_Permissions, DisplayName, FS_Owner, Flags, Inherited_From_Folders, Mail, Member, User_Group
