I really appreciate your help. I thought I would be able to accomplish this using a subsearch, where I search for denied traffic to port 22 as an example using the source ip address as an output commonality for the main search to match those src ip addresses to machines that are owned by one user. I may have misread the documentation.   Learning is occurring.  ... View more

Thank you for your help. I will elaborate. Owners of servers with host names that are assigned to various owners are in one index and sourcetype. FW traffic is in another. I want to create an inventory list of servers belonging to one specific user. This information would be in its own index and sourcetype and find all denied traffic to a specific port which would be in the FW index and source type.    I thought I would be able to accomplish this using a subsearch, where I search for denied traffic to port 22 as an example using the source ip address as an output commonality for the main search to match those src ip addresses to machines that are owned by one user. I may have misread the documentation.   I hope that I have helped you better help me with my reply.  ... View more