I have a use case where a user will input a username and Splunk should return results for that username. But, there are seperate events related that username which do not contain the username field, but instead have the same mac address field. The following command is what I wish would work, but I know the append command doesn't allow you to pass data from the main search.
index=my_index UserName=myuser | table _time UserName MacAddress Message | append MacAddress [search index=my_index | table _time UserName MacAddress Message]
Does anybody know how I can acomplish this?
↧