I'm trying to build a search that returns the changes that were made to the GPO.

For this, I have my main search that looks for EventCode 4662, 5137, 5136, 5141 that are related to changes in the GPO, but do not bring what the change was specifically.

I have another index (AD AUDIT) that logs all changes.

I'm trying to use join, but I can't get the changes to return. Changes have more than one field for each GPO_GUID.

My search looks like this:

index=win (EventCode=4662 ObjectType=groupPolicyContainer) OR (EventCode=5137 ObjectClass=groupPolicyContainer) OR (EventCode=5136 ObjectClass=groupPolicyContainer) OR (EventCode=5141 ObjectClass=groupPolicyContainer Tree_Delete=yes) 
| rex field=ObjectName "(?i)CN=(?<gpo_guid>{.*?})" 
| rex field=ObjectDN "(?i)CN=(?<gpo_guid>{.*?})" 
| join type=left gpo_guid 
[ search index=summary objectClass=groupPolicyContainer earliest=-24h@h latest=now() 
| stats count by cn, displayName 
| fields + cn, displayName 
| rename cn as gpo_guid ] 
| eval action=case(EventCode=5137, "CREATED", EventCode=5136, "MODIFIED", EventCode=5141, "DELETED") 
| table action, src_user, displayName, gpo_guid, ObjectGUID 
| rename ObjectGUID as ADDITIONAL_INFO 
| join max=0 type=left ADDITIONAL_INFO 
[ search index=audit
| stats values(ATTRIBUTES_NEW_VALUE) as ATTRIBUTES_NEW_VALUE, values(ATTRIBUTES_OLD_VALUE) as ATTRIBUTES_OLD_VALUE by ADDITIONAL_INFO
| fields ADDITIONAL_INFO, ATTRIBUTES_NEW_VALUE, ATTRIBUTES_OLD_VALUE]

Is my search correct?

For the join to run successfully I need the search field 1 to be the same as the search field 2, correct?

If the changes in GPOs are multiple, how can I get these results?