Hello,
I have a tstats query that works really well. However, I am trying to add a sub search to it to attempt to identify a user logged into the machine. Here is what I am trying to do:
| tstats summariesonly=t count as Count, dc(fw.rule) as dc_rules, values(fw.rule) as rules, max(_time) as LastSeen, values(fw.dest_ip) as Destination FROM datamodel=Firewall.fw WHERE fw.dest_ip = 8.8.4.4 OR fw.dest_ip = 8.8.8.8 AND fw.action = "blocked" BY fw.src_ip, fw.action | rename src_ip as src_host | join src_host [ search index=proxy | fields src_host,UserName] | table src_host,Destination,action,UserName,Count
The proxy index is a heavy index with lots of data ideally I would like to set another the search to only look for traffic from src_host and then return the username. Anyone have any ideas how I can A.) improve the search and B get it to work 🙂
Many thanks!
... View more