Hello, I've got a search query where I'm looking for unexpected ssh connections to my instances, but I've got one server where my IP address dynamically changes and I want to exclude the IP address of that host because I know there will be expected ssh connections from that IP address. I'm running a sub search to look at aws description logs, grabbing the IP of the box based on it's name and returning the IP address in hopes I can use it in my main search. So far it's not working how I expect and I'm not sure why. I would expect not to see entries for hostnameA with usernameA that's coming from a source IP that I'm getting from my subsearch, but my results include those entries. Here's my search so far: index=X sourcetype=linux_secure eventtype=sshd_authentication action=success
| eval exclude_host_ip=[ search index=X sourcetype=aws:description source=*:ec2_instances (tags.host=* OR tags.Name=*) earliest=-24h latest=now
| eval hostName=coalesce('tags.host', 'tags.Name')
| search hostName=dynamic_ip_hostname
| sort - _time
| dedup private_ip_address
| eval ip="\"".private_ip_address."\""
| return $ip]
| search
NOT (host=hostnameA AND user=usernameA AND user_src_ip=exclude_host_ip)
| table _time, user, host, user_src_ip
| sort - _time
| dedup _time user host user_src_ip
| rename _time as Time, user as "Username", host as "Host", user_src_ip as "Source IP"
| convert timeformat="%m-%d-%Y %H:%M:%S" ctime(Time)
... View more