I have 2 searches.
Search A produces a table output of "UserIP"
Search B produces a table output of "FailedDestinationIP' and "FailedSourceIP". (search will have both values reported)
I want to see if "UserIP" matches either "FailedDestinationIP" or "FailedSourceIP" in search B. If it matches "Failed Destination" then I want output of "FailedSourceIP" or if it matches "FailedSourceIP" I want output of "FailedDestinationIP".
It's ok if this is broken into to searches, rather than performing in one operation, as I really want 2 list of of either FailedsourceIP or Failed DestinationIP, where UserIP matches the opposite.
I have tried some join commands and eval commands, but my results are not correct.
Search A:
source = abc | rex ".UserIP (?\S+)" | rex "(role(s):\s|role\s)(?\S+)." | rex "AuthGroup: (?\S+)" | search roles=$RoleName$ | table UserIP | dedup UserIP
Search B:
source = xyz | rex "unnel (?\S+) failed to (?\S+)" | table FailedDestinationIP FailedSourceIP
Seems simple, but I can't get it right. Thanks in advance!
... View more
