Hi Splunkers,
I want to use two datamodel search in same time. My problem ;
My search return Filesystem.process_id but also ı want to see process_name but not including in Endpoint->Filesystem Datamodel.
I want to fetch process_name in Endpoint->Processes datamodel in same search.
My base search is =
| tstats summariesonly=true allow_old_summaries=true pres count, min(_time) as firstTime, max(_time) as lastTime FROM datamodel=Endpoint.Filesystem BY "Filesystem.file_name", "Filesystem.file_path", "Filesystem.dest" Filesystem.process_id
An example output :
![alt text][1]
[1]: /storage/temp/280722-capture.png
How I add Processes.process_name by Filesystem.process_id on this search?
Happy Hunting.
↧
