I appreciate your response! Unfortunately that search does not work. Lets make it a bit more simple. see below:
I have two sourcetypes:
(index=vulnerability sourcetype=json:id) with the following fields:
computername
secondaryid
id
(sourcetype="json:impacts") with the following fields:
c_id
cw_id
bs
is
I am having trouble with the limits on the 'join' command so i need to use stats or something of the sort to 'join' this data. The two common fields in the source types that need to be joined are 'id' from the first one and 'c_id' from the second. The end result will show a table with the computername,secondaryid,(common id/c_id) with the corresponding cw_id,bs and is fields.
My current search is below but it does not work. it only shows computername,ipv4,id and then the bs,is and cw_id fields are blank, but when looking through pages the bs,is and cw_id fields ARE displayed by not with their corresponding computername,ipv4 and id.
(index=vulnerability sourcetype=json:cve) OR (sourcetype="json:impacts")
| eval computername=lower(computername),id=lower(id),c_id=lower(c_id),cw_id=lower(cw_id)
| rename c_id as id
| stats values(secondaryid) as ipv4 values(bs) as bs values(is) as is values(id) as id values(cw_id) as cwid by computername
... View more