I must have inadvertently deleted your latest post when I removed a duplicated comment I made.
I tried your code
index=fireeye sourcetype=hx_json [search index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit" | table dhost | rename dhost as search | format ] OR (index=fireeye sourcetype=hx_cef_syslog act="Detection IOC Hit" ) | stats values(ioc_name) values(*username) values(alert.host.hostname) values(alert.host.os) values(alert.host.ip) values(alert.event_type) by _time
but it did not work, there is a time difference between the hx_json events and hx_cef_syslog events, a few seconds difference...
I am using the dhost=x in sourcetype=hx_cef-syslog and alert.host.hostname=x in sourcetype=hx_json, where x is a computer name... the computer name value is the key I am using.
I am also trying coalesce
(index=fireeye sourcetype=hx_json alert.host.hostname=) OR (index=fireeye sourcetype=hx_cef_syslog dhost=)| eval match_host=coalesce(alert.host.hostname, dhost) | stats values(ioc_name) by match_host
but I am still going thru the fields to see if I can grab everything I need...
... View more