I want to create a form that allow users to input a few search criteria and I want it to perform a "base search" within log source A which will return a list of suspect IPs.
For example: Base Search (hidden from user): sourcetype=logA badguy=true | stats count by IP | search count>$CountThreshold$ | table IP
I want to take this list of suspect IP to look for matches in multiple sources and display search results from each individually.
For example:
Chart: sourcetype=logB [results from Base Search above] | timechart count by IP
Table: sourceytpe=logC [results from Base Search above] | table username, login_status
For performance reason I do not want to repeat the subsearch mulitple times to obtain the same list of IPs. I want to do the Subsearch once only and leverage that list in multiple subsequent searches. I thought about using "searchtemplate" and postprocessing but I think it will only work when I perform further filtering or aggregation of the first result, but not using it as a subquery for a brand new search. I also thought about using dynamic drill down but it will pass the IP one at a time, not as a list. Is there anyway to do this?
... View more