I am working with a search like this:
dovecot
[ search DHCPACK
[ search host="airport*" "Associated with station" | rename mac_addr as src_mac | fields src_mac ]
| rename src_ip as rip | fields rip,src_mac ]
| dedup rip
The problem is that if I specify both rip and src_mac as fields of interest from the child subsearch (DHCPACK level) I end up with a parent search (dovecot level) that looks like this:
dovecot (src_mac="aa:bb:cc:dd:ee:ff" AND rip="1.2.3.4") OR (src_mac=... AND rip=...)...
However, what I'm really interested in is correlating the MAC from the airports to an IP from dhcpd and that IP to a user ID from Dovecot's IMAP logs (I'll expand the search to use other log sources such as Postfix SASL authentication at another time). The end product should be a table displaying the mac address, IP address and user ID.
Sample data is at http://pastie.org/1449528
... View more