Hi everyone!
In Enterprise Security I am trying to combine results from two different source types by using "join" but facing problem with subsearch limits. My goal is to make a statistic table where the traffic data is coming from another log, but this traffic log is huge even if I narrow the search for one hour. All I really need is just fields "bytes_in" and "bytes_out" from traffic log, but now it is collecting everything. I have tried narrow the subsearch results, but not yet successfully.
Below search is the very basic setup which would work without any limits, but I cannot change them. Looking for any ideas how to bypass it.
| datamodel datamodel1 search | search attack="vulnerability1"
| join src_ip type=left overwrite=false [search index=logs sourcetype=traffic_log ]
| stats sum(eval(round(bytes_in(1024*1024),2))) AS "Incoming Mb" sum(eval(round(bytes_out/(1024*1024),2))) AS "Outgoing Mb" by src_ip
↧