Hello,
I am currently trying to do a search across two different sourcetypes using the map command:
sourcetype=source1 "alert"
| rename blahblahblah AS Machine
| WHERE isnotnull(Machine)
| eval earliest=_time-86400
| eval latest=_time+86400
| map search="search sourcetype=source2 Computer=$Machine$ earliest=$earliest$ latest=$latest$" maxsearches=100
| table Computer status
The idea is that source1 contains certain events revolving around certain computers. I want to cross-reference this with source2 to find the status of each Computer that shows up in the results of the search from source1 around the given time the event occurs. However, I am only getting results concerning the first computer that appears.
e.g., instead of getting:
| Computer | status |
|--------------|---------|
| ComputA | 1.0 |
| ComputB | 3.0 |
| ComputC | 1.0 |
I am just getting:
| Computer | status |
|--------------|---------|
| ComputA | 1.0 |
Is this the way the map command is supposed to work and I just misunderstood, or have I made a mistake somewhere else?
Thanks ahead of time!
↧