I have a search that runs with no issues- ComputerName=CompName* (event_simpleName=*written* OR event_simpleName=DirectoryCreate OR event_simpleName=*CreateFile) *.xls* OR *.csv | rename FileName as WrittenFileName, FilePath as SourceFilePath, TargetFileName as DestinationFileName | table _time, ComputerName, WrittenFileName, SourceFilePath, DestinationFileName, sourcetype, ContextProcessId_decimal,TargetProcessId_decimal What I want to do is take the value from ContextProcessId_decimal and use it in a second search as the value for the field TargetProcessId_decimal. event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 TargetProcessId_decimal=ContextProcessid_decimal I've tried doing a search within the first search like the following, but it errors out. I've spent a good hour or two and have been unable to figure this out. -_- ComputerName=CompName* (event_simpleName=*written* OR event_simpleName=DirectoryCreate OR event_simpleName=*CreateFile) *.xls* OR *.csv | rename FileName as WrittenFileName, FilePath as SourceFilePath, TargetFileName as DestinationFileName [|search event_simpleName=ProcessRollup2 OR event_simpleName=SyntheticProcessRollup2 TargetProcessId_decimal=ContextProcessid_decimal] | table _time, ComputerName, WrittenFileName, SourceFilePath, DestinationFileName, sourcetype, ContextProcessId_decimal,TargetProcessId_decimal If I leave the renames in it gives an error with that, if I take the rename out it finds no results. Any help would be greatly appreciated!!
... View more