Hello!
I am attempting to take a variety of values for a single field and essentially use another search from a different index to rename them to a more human readable value. Both indexes do have a field that contains a 1:1 value that I could potentially use |join, however I am having issues with the stats table output where the search is failing to pull up any data or pulling up all data despite searching for a specific value in a field. I have tried |append as well but not getting the results I expect.
Example:
index=index_ mac_address=* logical_vm=* state=online
| stats latest(physical_vm) as server latest(ip_address) as IP latest(logical_vm) as host by mac_address
| search server=z4c8h2 IP=* host=* name=*
| stats count by server
Output:
mac_address | server | IP | host
xx:xx:xx:xx:xx:xx | z4c8h2 | 10.0.0.0 | vm01.internet.io
index=translate box=z4c8h2
| table human_name
The translate index search shows the name that I would like to replace in the index_ search for server, but cant get the stats table to update correctly.
Any suggestions how to format a join/append or some other method of getting the value to update in the Stats output table?
... View more