I'm having to search across two indexes and am looking for a particular string of text, called "sampletext"
Example:
index=sso sourcetype="ping*" "my sampletext here"
Now, I would also like to search the sourecetype=Active Directory for two of its fields as I would like to include Active Directories department and description fields to my query:
Example:
index=msad sourcetype=ActiveDirectory department=* description=*
The problem is it's not pulling the Active Directory fields because I am searching for a particular string of text "sampletext" and it's only pulling back the fields under the sso index.
How do I pull the event data that contains the string text under index=sso AND pull the Active Directory fields, department and description under those events too? Is this possible?
Any help is greatly appreciated!
↧
