Hi, THe use case is GitHub Dependabot vulnerability alerts, once recevied, searching another index with GitHub SBOM listing packages and versions, to see what version we have. i.e. This search works great to return on result, when scoped right so to essentially one event in each data source. index=github_vulnerabilities source="office-sites" security_vulnerability.package.name=semver-regex earliest=-26h latest=now | rename source AS repository security_vulnerability.package.name AS name | table repository name security_vulnerability.first_patched_version.identifier | append [search index="github" repository="office-sites" name=semver-regex earliest=-3d latest=now | table name version] | selfjoin name I'd like to loosen the top to remove the specific package at least, and then the append, to just be the index so that it returns all repos that have the affected package name. I've tried |join with max=0 and joining on one or two fields but I couldn't get it to come out how I expected/wanted.
... View more