Hi community,
I have a combined search which includes two sourcetypes. Both include a field with a username. Let's say it looks like this:
Sourcetype1 Field1:
User1
User2
Sourcetype2 Field2:
User1
User2
User3
I need the values that are present in Field2, and are not in Field1. The other way around is not of interest, so a simple count and looking at <2 is not an option. So, my search needs to reflect that User3 is a value of an event in Field2, but not a value of an event in Field1.
How do I do that within my search?
The search itself:
| ldapsearch search=(&(objectClass=group)(cn=*OMITTED*)) attrs="member"
| mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1| append [search sourcetype="*OMITTED2*" source="*OMITTED3*" *OMITTED4*=*OMITTED5*| rename *OMITTED6* AS Field2]
With many thanks!
Try this. It will show event in the subsearch that are not in the main search.
| ldapsearch search=(&(objectClass=group)(cn=OMITTED)) attrs="member"
| mvexpand member | xmlkv| eval member= substr(member, 4,6)|rename member AS Field1| join type=inner Field1 [search sourcetype="OMITTED2" source="OMITTED3" OMITTED4=OMITTED5| rename OMITTED6 AS Field1]
It gives back 0 results. If I place:
join type=inner SOME_BOGUS_FIELD
instead of
join type=inner Field1
It gives results. But way less values for Field2 than I would expect. So something is not working correctly. Maybe that has to do with the ldapsearch module. I tried converting Field1 to string using:
eval Field1=tostring(Field1)
but that did not help.
Do you have any idea how to proceed?
Perhaps I renamed the wrong OMITTED field to Field1. Modify the query so Field1 is the same in both the main search and the subsearch.