There's been numerous other questions that I've read through to see if a similar situation has been asked but so far (from what I've gathered) they've not matched my situation, so I figure I'd ask here. My goal is to create an alert. index=abc123 Operation=EventTriggered
|spath input=Data
|fields reid This will give me reid (relative ID). In the same index (abc123) there's events that have a unique ID (the field name is GUID). So, using the above search's reid value, I want to take that value and search for it in GUID and return events. So, if reid=xyz, I want something along the lines of: index=abc123 GUID=xyz NOT (Operation=EventTriggered)
|rename "Parameters{}.Name" AS paramsName "Parameters{}.Value" AS paramsValue
|eval params=mvzip(paramsName,paramsValue)
|table myfields The issue is that I don't know which value of GUID to search for until I run the first search, and the field values that I care about and want to table are generated from my second search. My question, is, what is a good way to approach this? I don't think I can use a join since reid and GUID are different field names. In the result set of the first search I can't rename reid to GUID because the event with the recorded reid has its own GUID value. Although I can probably do some multivalue field manipulation to overcome that issue? Could I use a subsearch somehow? Maybe in the subsearch, get the value of reid and pass it in that way? Thanks.
... View more