Here's the query I have that is getting results from two sourcetypes:
index=bro (sourcetype=bro_files OR sourcetype=bro_http) FBAT7S1VCAkUPRDte2 | eval fuid=coalesce(resp_fuids, orig_fuids, fuid) | table fuid, seen_bytes, md5, mime_type, domain, uri
Here's the results:
fuid seen_bytes md5 mime_type domain uri
FBAT7S1VCAkUPRDte2 215978730 f3906f58da42a24b853d26c83e4488e5 application/zip
FBAT7S1VCAkUPRDte2 application/zip ex.com /test.zip
Desired results:
fuid seen_bytes md5 mime_type domain uri
FBAT7S1VCAkUPRDte2 215978730 f3906f58da42a24b853d26c83e4488e5 application/zip ex.com /test.zip
... View more