Hello!
I'm interested in passing a result or results (a list of users from proxy logs) from a subsearch into a field in my parent search (against AV logs). I tried using eval, but was unsuccessful. Is it possible to pass results from a subsearch into a variable? Any help would be appreciated!
Something like this doesn't work:
index=MyData sourcetype=AV_logs user=[index=MyData sourcetype=Proxy_logs src_ip="X.X.X.X" dst_port="80" domain="*pleasehelpme.splunk"| table user] | table user, event, etc
... View more