When using OR, you cannot dedup src_ip dest_ip immediately after search. That should be performed after stats, like what you do with join. Using the same structure @gcusello proposed, you can do ...
See more...
When using OR, you cannot dedup src_ip dest_ip immediately after search. That should be performed after stats, like what you do with join. Using the same structure @gcusello proposed, you can do (index=*corelight* sourcetype=*corelight* server_name=*microsoft.com*) OR (index="*firewall*" sourcetype=*traffic* src_ip=10.1.1.100)
| fields src_zone, src_ip, dest_zone, dest_ip, server_name, transport, dest_port, app, rule, action, session_end_reason, packets_out, packets_in, src_translated_ip, dvc_name
| stats values(*) AS * BY dest_ip
| dedup src_ip, dest_ip ``` most likely this is unnecessary after stats ```
| rename src_zone AS From, src_ip AS Source, dest_zone AS To, dest_ip AS Destination, server_name AS SNI, transport AS Protocol, dest_port AS Port, app AS "Application", rule AS "Rule", action AS "Action", session_end_reason AS "End Reason", packets_out AS "Packets Out", packets_in AS "Packets In", src_translated_ip AS "Egress IP", dvc_name AS "DC"