Solved: Perform a Lookup from results of another search

agodoy · ‎01-23-2013

I want to use the clientip field of an access_combined log to get the reported username from a bigfix search.

The bigfix search I am using is:

search index=bigfix sourcetype="software_inventory" | makemv delim="," src_ip | mvexpand src_ip | table src_ip, host, user_name

How would I go about correlating clientip to src_ip and adding the user_name field without having to build a csv and setup an automatic lookup.

Thanks!

yannK · ‎01-23-2013

try a join.

mysearchonaccess_combined | table fieldA fieldB | join fieldB [ search mysearchonbigfix | table fieldB fieldC ]

Remark : the join will not go over 10 000 results for the sub search to try to limit your scope or regroup your results.

yannK · ‎01-23-2013

try a join.

mysearchonaccess_combined | table fieldA fieldB | join fieldB [ search mysearchonbigfix | table fieldB fieldC ]

Remark : the join will not go over 10 000 results for the sub search to try to limit your scope or regroup your results.

agodoy · ‎01-23-2013

Worked beautifully! Thanks!

Perform a Lookup from results of another search