So, the reason I am looking to do this search is because the logs for this system are not the greatest and, therefore, what I do is take an initial account I am investigating, search on that account for logins, and then use the session IDs from those logins and search on those session IDs. The reason is because the IPs and account names are not always included in every event/log for that particular session. I would like to be able to pass in the IP into each of the events that map is running over so that they can be created as a new field on that event. That way, I can make a table to track what IP was mapped to which session ID.
Here is what I have so far
index=blah METHODNAME="/login" OR METHODNAME="/logonuser" "accountname" |rex field=DESCRIPTION "from\sip\:(?<ip2>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex field=DESCRIPTION "from\sip\:\s(?<ip3>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval IP=coalesce(ip2,ip3)| stats count by SessionID IP|map search="search index=blah $IP$ SessionID=$SessionID$" | table _time, SessionID, IP, METHODNAME, _raw
I haven't been able to figure this out and am not sure whether or not this is possible with the map command. But, if not, is there a different way I could solve this issue, perhaps with just a regular subsearch?