Thanks for getting me in the right direction. The following seems to work (index=aws sourcetype="aws:cloudtrail" eventName=TerminateInstances) OR (index=aws source="us-west-1:ec2_instances" sourcetype="aws:description")
| eval joiner=if(sourcetype="aws:cloudtrail", 'requestParameters.instancesSet.items{}.instanceId', vm_id)
| eval Time=if(eventName="TerminateInstances", _time, null())
| eval Time=strftime(Time, "%Y-%d-%m %H:%M:%S")
| stats values(*) as * by joiner
| where 'requestParameters.instancesSet.items{}.instanceId'=vm_id
| table Time, userName, action, vm_id, "tags.Name" if I try something like this though it returns nothing (index=aws sourcetype="aws:cloudtrail" eventName=TerminateInstances) OR (index=aws source="us-west-1:ec2_instances" sourcetype="aws:description")
| eval joiner=if(sourcetype="aws:cloudtrail", 'requestParameters.instancesSet.items{}.instanceId', vm_id)
| eval Time=if(eventName="TerminateInstances", _time, null())
| eval Time=strftime(Time, "%Y-%d-%m %H:%M:%S")
| stats values(Time) as Time, values(userName) as userName, values(action) as action, values(vm_id) as vm_id, values('tags.Name') as tags.Name by joiner
| where 'requestParameters.instancesSet.items{}.instanceId'=vm_id
| table Time, userName, action, vm_id, "tags.Name" I'm curious why the 2nd one returns nothing.
... View more