I'm trying to search through one sourcetype called "Windows_System".
There's also a specific field I'm interested in first called "EventCode"
If I do a search only for for sourcetype="Windows_System" EventCode=1, I get the results I want.
There's an executable that I want to be present in the fields when I search for EventCode 2 called "executable.exe"
If I do a search only for sourcetype="Windows_System" EventCode=2 process="executable.exe", I get the results I want.
However, there are fields that show up when EventCode=1 is specified for that aren't present when EventCode=2 is. I want to chart out all the fields I want if both EventCode values are specified.
The good thing is that there's a common field with a unique value between both searches called "GUID" so I can focus on that.
Here's the query so far
sourcetype="Windows_System" EventCode=2 Image="executable.exe"
| join GUID type=outer [search sourcetype="Windows_System" EventCode=1]
| rename SourceHostname as hostname_ip, SourceIp as source_ip, SourcePort as source_port, DestinationHostname as destination_hostname, DestinationIp as destination_ip, DestinationPort as destination_port
| table User, hostname_ip, source_ip, source_port, destination_hostname, destination_ip, destination_port, Protocol, GUID, process, CommandLine, ParentImage, ParentCommandLine
CommandLine, ParentImage, ParentCommandLine are fields that are present ONLY when you specify EventCode1 that aren't when you specify EventCode2. The data in those fields are not showing up when run my main.
I have two questions.
Is the "join" command really necessary or can I accomplish this with a less intensive search like with stats or chart?
Is this search the correct syntax to get the results I want?
... View more