Sure, to answer your question sdwilkerson. There is a class of search queries that I keep running into that conceptually require a subsearch. Since the subsearch has limitations on how many results can be string interpolated and inserted into the main search command, I am using lookup tables instead. Here is one example:
I want to create a list of the top 10 offenders sending mails with the most number of "Bounced" errors. (This is a good way to fingerprint someone who is using their company email address to spam external people, as the spammers list is usually of poor quality--many old or illegitimate email addresses).
To calculate this, I need to know the mailfrom field which is associated with each occurrence of the "Bounced" error. The initial way I approached this was to first run a subsearch for the "bounced" message, and pipe that into fields mid to return a list of MIDs. The subsequent search looked for all events related to that list of mids, and then ran a transaction over the MID field. That allowed me to know the mailto, mailfrom and subject of the mails which had the "Bounced" errors.
Since I ran into the subsearch limits on this, the solution was to create a lookup table. This removes the need for a subsearch to find the context for each "Bounced" mail, since I can just look up the mailfrom by mid in the table.
eventtype=cisco_esa "Bounced message..." | lookup my_ironport_table mid OUTPUT mailfrom,mailto,subject | stats count(mailfrom)
There are a good number of other queries similar to this that I need to run. They all follow the pattern of needing to search for something that is part of a conceptual transaction, and then needing to find the other events associated with the rest of that transaction in order to complete the query.
... View more