I have a search that returns correct results. However, the join subsearch portion is constantly hitting the max 50000 results limit. I'd like to run this against a larger timerange so I can produce a weekly report. Right now, I have to keep the timerange small to get any results.
While this is a cool command that I didn't know existed, it doesn't give me the results that I need. I end up with over a million results. My posted search gives me two results. I will update the initial question with some sample data and expected results.
@BrandonKeep while the actual query would be based on sample data and correlation between two sourcetype and fields coming from each sourcetype
index=os (sourcetype=linux_audit type=SYSCALL key=pci) OR (index=os sourcetype=linux_audit type=CWD)
| stats count as eventCount values(type) as types earliest(_time) as EarliestTime latest(_time) as LatestTime by msg
| search eventCount>1 types="SYSCALL" AND types="linux_audit"
PS: stats aggregate above needs to have other fields (like exe, comm, success) included as per need and their correlation/aggregation.