The search that I'm interested in pulls the username out of the second query. This search worked great last year: "Trojan" | map search="search "User Authentication" IP=$dest_ip$" | fields username
It's not working any more. The dest_ip from the first source should map to the IP address in the second source. I get no results. Any thoughts on what changed or what I could do differently to return the same result?
I'm not sure what may have changed, but here's a different approach. You're basically trying to use the dest_ip field from one search to find events in another search, right? A basic pattern for that looks like this: