Solved: Re: Doing lookup in the same index without using l...

thambisetty · ‎06-19-2014

Hi
[index=main host=syslog status="deny"| top src_IP | table src_IP ]:::::this is my sub search.
and it will produce top 10 src_IPs like below.
10.0.0.0

10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.5
10.0.0.6
10.0.0.7
10.0.0.8
10.0.0.9
Now I want to check the status where status="start" OR status="accept" for the above src_IPs in the same index and host.

Please help me in this..
Thanks in advance.

————————————
If this helps, give a like below.

somesoni2 · ‎06-19-2014

Try this

index=main host=syslog status="start" OR status="accept" [search index=main host=syslog status="deny"| top src_IP | table src_IP | format "" "" "" "" "OR" ""]

View solution in original post

somesoni2 · ‎06-19-2014

Try this

index=main host=syslog status="start" OR status="accept" [search index=main host=syslog status="deny"| top src_IP | table src_IP | format "" "" "" "" "OR" ""]

thambisetty · ‎06-19-2014

Thank u soooo much. it worked.

————————————
If this helps, give a like below.

somesoni2 · ‎06-19-2014

This will create a consolidated single statement from results of subsearch (something like src_IP=value1 OR src_IP=value2...etc. Ideally previous version of the search should've worked but something adding format does the trick.

thambisetty · ‎06-19-2014

Thanks.
Im not in office.
may I know why that format..

————————————
If this helps, give a like below.

somesoni2 · ‎06-19-2014

Try the updated one.

thambisetty · ‎06-19-2014

Thanks for ur immediate response.
I tried that one but it is showing different src_IPs. The src_IPs not at all related to result of sub search.

————————————
If this helps, give a like below.

Doing lookup in the same index without using lookup command

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...