Hello!
I have sourtsetype that contains multiple source. Into sourcetype permanently add new source. I need to search in the earliest source. For extract most earliest source I use this search request:
sourcetype="MySourceType" source=* NOT [ | inputlookup usedfiles.csv|fields source]| stats dc(source) by source | sort 1 by source | fields - dc(source) | outputlookup append=true usedfiles.csv
This search successfully return of earliest source name. How I can make search into this source? This search request is not working:
sourcetype="MySourceType" source=* NOT [ | inputlookup usedfiles.csv|fields source]| stats dc(source) by source | sort 1 by source | fields - dc(source) | outputlookup append=true usedfiles.csv | search Field="value"
