Hey Community, I am trying to get my head around this query My subsearch below, The query will look for the api path,src and Ip's and I am doing dns lookup to get hostname which is present in different index site = "friendly" index=traffic_log src="*" uri="*" | eval date = date_month + "/" + date_mday + "/" + date_wday + "/" + date_year | mvexpand date | dedup src | dedup uri | lookup dnslookup clientip as src OUTPUT clienthost as ComputerName | where like (ComputerName,"p%") |
dedup ComputerName |table ComputerName,src,uri,date Main query. If see my main query Computername is the only filed which is present in main index search and want to use for searching with computername. which will give the owner details of the hostname but also I want the src,uri,date fileds from subsearch to be added in table index="wineventlog" source="WinEventLog:Application" [ search site = "friendly.org" index=traffic_log src="*" uri="*" | eval date = date_month + "/" + date_mday + "/" + date_wday + "/" + date_year | mvexpand date | dedup src | dedup uri | lookup dnslookup clientip as src OUTPUT clienthost as ComputerName | where like (ComputerName,"p%") |
dedup ComputerName |fields ComputerName,src,uri,date] | dedup ComputerName| dedup ownerEmail | dedup ownerFull | dedup ownerName | dedup ownerDept | table ComputerName, ownerEmail,ownerFull,ownerName,ownerDept,src,uri,date Can someone throw insights into the query
... View more