I have two sourcetypes that have URL fields. I am attempting to remove the `.` so that both fields are just letters and numbers. When I run the searches separately, they work correctly. When I combine with a join, it returns no results. There is matching data in the sources.
sourcetype=aws:s3 | where RESULT=="Blocked" | fields * | rex field=AWSURL mode=sed "s/[^a-zA-Z0-9]//g" | join WINURL [search sourcetype=win_dns | fields * |rex field=WINURL mode=sed "s/[^a-zA-Z0-9]//g" ] | where WINURL==AWSURL | table WINIP, WINURL, AWSURL, URL, SITE, Block_Category
this is supposed to match AWSURL to WINURL from the sed strip so www[dot]google[dot]com is wwwgooglecom in both. This does work when not joining and comparing. The logic is if a URL from aws:S3 is blocked, match the URL request from win_dns and grab the WINIP from win_dns and combine with the aws:S3 blocked data. Thanks for the help
↧