Looking to build 1 correlation search to do the following: Bring an extracted field name from 1 ST and search that field name across another ST. If hits in both ST, do not alert. If only hits in the first ST, do alert. Ideally, this would function similar to how $host$ can be used in a drill down to pull the host name, though I'm not sure this is possible for a correlation search. Is there a command to do a comparison like this? So far I have the following returning results: sourcetype=A | rex field=_raw "John\s+(?<endpoint>\w+)" | append [| search sourcetype=B "Live" | rex field=_raw "Mike\s+(?<endpoint>\w+)"] This does give me results from both indexes, but this is not correlating results from A to B (obviously). I have tried several commands (join, transaction, coalesce etc) and removed these failed attempts from the above for simplicity. I may have been using these commands incorrectly as well. TYIA
... View more