I have some ironport logs that I am trying to tie together within Splunk without much success.
Currently I have a search that will return MID and ICID values. I would then like to get further events that match those field values. I have done this successfully using the map command, using something like the below.
index=someindex sourcetype=somesourcetype sender="some@sender.com"
| map search="search index=someindex sourcetype=somesourcetype (mid=$mid$ OR icid=$icid$)"
The issue I am now facing is that sometimes the MID values get rewritten, so I also need to run another search that will get events that match the new rewritten MID value. I have tried various different subsearches and joins, including trying the appendpipe command, but have been unable to pull the other events.
Eventually once I've got all the relevant events, I want to pipe those values into a stats command to group by time or some other field.
Any help is much appreciated.
... View more