@PickleRick thank you for your quick response, and I apologize for my lack of clarity. Here is what I am trying to accomplish in a bit more detail: index="pan" will have fields like: user, dest_ip, _time, bytes_in, source_ip, etc. index="threat" has only one field: "ipv4{}" I would like to combine these searches into one, where every 10-15 minutes or so it looks at strictly the dest_ip field in the "pan" index, as well as the "ipv4{}" field from the "threat" index, and finds matches between those two fields, and then returns those matches AS WELL AS the corresponding fields from index="pan" such as user, _time, bytes_in, etc. For example: Within index="pan" dest_ip user _time 1.1.1.1 santa 4pm 172.168.1.1 tom 2pm 8.8.8.8 daniel 1pm 10.0.5.1 peter 4am Within index="threat" ipv4{} 10.0.5.1 1.1.1.1 Would return a table that looks like this: dest_ip user _time 1.1.1.1 santa 4pm 10.0.5.1 peter 4am I think this is much more simple than I am currently making it in my head, as this seems like it would be a common search that many admins would need to implement. Once again, any help or guidance would be very much appreciated, and showered with karma! Thanks in advance
... View more