**Scenario:**
- The data I need is ultimately contained in completely different indeces/sourcetypes
- I have a set of 5 computers and a whitelist of addresses they're supposed to go out to but they're going to others
*- Their hostnames are contained in my "ip_to_hostname" sourcetype
*- The addressed they request are contained in my "dns_requests" sourcetype
- The "dns_requests" sourcetype basically gives the "internal_ip" and "destination_ips"
- The "ip_to_hostname" sourcetype has the fields "internal_ip" and "hostname" but does **NOT** have the field "destination_ip"
**Problem:**
I created an embedded search which first uses "dns_requests" to grab the list of "internal_ip" then passes that to the ultimate search which uses the "ip_to_hostname" sourcetype to resolve the "internal_ip" to the "hostname". The problem is I can't figure out how to make a table which features all 3 needed items making a table of: ***internal_ip***, ***hostname***, ***destination_ips***
**Hypothesis:**
I think I'll need to use the "join" or "transaction" commands in some capacity here?
**Search:**
sourcetype=ip_to_hostname [search sourcetype=dns_requests AND direction=outbound AND internal_ip=10.1.1.0/24 | dedup internal_ip | table internal_ip] | table internal_ip, hostname | sort - internal_ip
***FLAWED Search:***
sourcetype=ip_to_hostname [search sourcetype=dns_requests AND direction=outbound AND internal_ip=10.1.1.0/24 | dedup internal_ip | table internal_ip, ***destination_ips***] | table internal_ip, hostname **destination_ips** | sort - internal_ip
↧