Hello, I'm doing a detection for an event on the same index with 2 logs, I want to filter events of Event A based on if the username field exists with the same value in Event B. I tried doing a sub-...
See more...
Hello, I'm doing a detection for an event on the same index with 2 logs, I want to filter events of Event A based on if the username field exists with the same value in Event B. I tried doing a sub-search but I get errors going by the below query, I want to filter Event A by if there are any events from Event B with the same original_user (index=<my index>) EventType="A" EventType=A
| rename username as original_user
| eval Id= mvindex((newValue),0)
| eval Name= mvindex((newValue),1)
[ search index=<same index> <filtering by a string>
| eval src_email= mvindex((newValue),3)
| rex field=src_email "(?<original_user>[\w\d\.\-]+\@[\w\d\.]+)"
| fields original_user]
| stats values(*) as * The above query says my eval is malformed Is there any way to solve it? Append/Join? I also tested the query inside the sub-search by itself and it works with no issues