Hello,
I'd like to run a subsearch with different time range than the parent search. Have to get mac addresses, and need a bigger time range to see results in DHCP logs. you help what's wrong with this ?
index=fw src_translated_ip="$subsearch_src_ip$"
| dedup src_ip
| rename src_ip as dest_ip
| join type=left max=1 dest_ip [ search index=dhcp earliest=-1h@h sourcetype=isc:dhcp dhcp_type=DHCPACK ]
| table dest_ip dest_mac
thanks
↧