Hi all,
I'd like to join 2 Windows events using instance_ID as following:
`sourcetype="WinEventLog:security" EventCode=299 | join instance_ID [search sourcetype="WinEventLog:security" EventCode=500] `
For fields common to both searches, only the one in subsearch can be retained e.g. EventCode=500 in above search.
Shall I rename such fields in either main or subsearch (except the ones used in join) before joining ?
Off-topic: will there be ways faster than join for the same query?
Sorry for the newbie question.
Thanks a lot.
Rgds
/ST Wong
↧