I have internal logs (index=loghistory) that have a field for unique users, I need to list the IP addresses from each unique user, but I only want to return the values that match the field for IP addresses that are in the IIS index. Doing the free form search is quick for my internal logs, but when done over the millions of events in IIS it takes too long. Is there a way to 1) quicken up a free form search in IIS and 2) return matching values for the IP Address over both the internal logs and IIS index? The matching values are based on the unique user ID, but that data is only in the loghistory index.
I have tried the join commands but it doesnt produce the proper results
index="loghistory" IPADDRESS="*" UniqueID="*" | rename IPADDRESS AS c_ip | join c_ip [search index=iis c_ip="*" host=WebHost01 OR host=WebHost02]
index=loghistory IPADDRESS="*" UniqueID="*") OR (index=iis c_ip="*" host=WebHost01 OR host=WebHost02) | rename IPADDRESS AS c_ip | stats count by c_ip, UniqueID
These are two separate searches that I created, as shown I tried using a JOIN command and I also tried using the OR function. Both didn't return the results that I wanted. I want to search the loghistory index, returning a set number of IPADDRESS values that will then be used as input to the second search which will search the IIS index for those IP addresses.