How do I display data that must be filtered from attributes from 2 different sourcetypes? The search is a multisearch.
This is the query. I would like each of the 4 outputs to be furthered filtered by a "sourcetype2" with an attribute specific to sourcetype2.
|multisearch [search index = index sourcetype="sourcetype1" host=host [| tstats count WHERE index = index sourcetype="sourcetype1" host=host earliest=@mon
| eval earliest=if(count=0,"-1mon@mon","@mon") | table earliest ] ALL MY ATTRIBUTES | eval Coast ="1"] [search index = index sourcetype="sourcetype1" host=host [| tstats count WHERE index = index sourcetype="sourcetype1" host=host earliest=@mon
| eval earliest=if(count=0,"-1mon@mon","@mon") | table earliest ]ALL MY ATTRIBUTES | eval Coast ="2"] [search index = qualys sourcetype="sourcetype1" host=host [| tstats count WHERE index = index = index sourcetype="sourcetype1" host=host earliest=@mon
| eval earliest=if(count=0,"-1mon@mon","@mon") | table earliest ] ALL MY ATTRIBUTES | eval Coast ="3"]
[search index = index sourcetype="sourcetype1" host=host [| tstats count WHERE index = index sourcetype="sourcetype1" host=host earliest=@mon
| eval earliest=if(count=0,"-1mon@mon","@mon") | table earliest ] ALL MY ATTRIBUTES | eval Coast ="4"] | dedup IP | stats count(IP) by Coast
... View more