i want to see if IP addresses that result from one search (where they are seen to perform a particular action, eg a GET request), and see if that IP address(es) have been seen in another sourcetype. i.e. has any IP that has made a GET request, been seen in sourcetype=A
here's the current search that yeilds the initial results:
sourcetype=* Request=GET Source!=10.* Status!=200
| table _time Source_IP Domain Status
| stats count(_time) as occurence values(Status) as "Status" by Source_IP
so now i want to take those Source_IPs and check if they are present in another sourcetype eg alert_log
There are a number of ways to do this, it kinda depends on what exactly you're looking to retrieve in your results, and how your data is shaped to do it. Now I'm making some assumptions on what fields you have extracted of course in the examples below.
One option is a subsearch something like a basic subsearch.
sourcetype=A [search sourcetype=access_combined method=GET | dedup src_ip | fields + src_ip]
Other options include a join or a map command.
Another possibility could be by using stats:
(sourcetype=access_combined method=GET) OR (sourcetype=A) | stats count(eval(sourcetype="access_combined")) as num_get count(eval(sourcetype="A")) as num_a by src_ip | where num_get > 0
Hopefully this gives you some ideas of things to play with.
thank you very much for the input, i will have a go at these options. it will at least give me more that what i have now haha. much appreciated