I am trying to find a way to have a subsearch display all the raw data that leads up to the final result. In my instance I am searching for DMCA violations and I search across our firewall for the NAT translation, then our DHCP scope for the MAC address and finally out authentication server for the username. For documentation purposes I need to have all the raw logs that lead up to the username.
Below is my current subsearch:
[search sourcetype=dhcpd [search sourcetype="netscreen:firewall" ip=$SrcIP$ port=$Port$ | top limit=5 src | fields + src | rename src as search] | top limit=5 src_mac | fields + src_mac | rename src_mac as search] sourcetype="cisco_acs" | top User_Name limit="5"
Ideally I would like a report that shows something like
Username: xyz
NAT Translation:
raw logs
DHCP:
raw logs
Auth:
raw logs
