I'm trying to do a JOIN with 2 search but I'm having issues. I tried to do a multi search join but I'm getting a streaming error.
I think one of the problems is the seaches both have an "id" column, but they reference two totally different things and I need to use it in the join. Here is the info below:
(I want to join these two searches)
SEARCH1 - "id" column is the ec2 instance name (I use this column for the join)
index=*_aws sourcetype=aws:description source="*ec2_instances" |rename id AS ec2id | table account_id, ec2id, state, ip, publicIP, instance_type, platform vpc_id
SEARCH2- "id" column is the sg name" (I use instances{}.id to join "id" in SEARCH1)
index=*_aws sourcetype=aws:description source=*:ec2_security_groups
| rename id AS sgid, instances{}.id AS ec2id
| table account_id, sgid, ec2id, name, instances{}.id, rules{}.from_port, rules{}.grants{}.cidr_ip
I need to join on column ec2id.
... View more