Definitely a noob, and I must be missing something simple...
I have two log files reporting the same error at similar times. I am trying to correlate the two. LDAP authentication failure from both the LDAP server log and the application log.
Using:
| multisearch [search index=1 "222"] [search index=2 "222"]
returns the desired results, but I would like to filter the results down to those where I have a match in both searches based on the timestamp. For instance, if there are 10 events returned from the first search and 1 returned from the second I would like to show just those two based on a matching timestamp (or bucket if need be.)
... View more