I need to join two large tstats namespaces on multiple fields. For example, I have these two tstats:
| tstats count(dst_ip) AS cdip FROM bad_traffic groupby protocol dst_port dst_ip
and
| tstats count(dst_ip) AS cdipt FROM all_traffic groupby protocol dst_port dst_ip src_ip
I need all src_ip fields from all_traffic namespace where the dst_ip, dst_port, and protocol of the all_traffic entry match a dst_ip, dst_port, protocol combination in the bad_traffic namespace. Effectively this gives a list of all the source ip for traffic that matches bad traffic.
I read through the stats, tstats, and eval manuals, but I'm stuck on how to do this efficiently. I can do it with a join on the two tstats commands above, but the datasets are so large it takes forever. I considered doing a prestat and append on the tstats, but I can't seem to get the desired results this way.
Thanks for any help!