index="proxy_logs" OR index="websitelist" category="none" cs_Referer!="-"
| stats values(cs_Referer) AS cs_Referer values(url) as url by requestID
| eval results = if(match(upper(cs_Referer),upper(url)), "hit", "miss")
| where results="miss"
produces no results
index="proxy_logs" OR index="websitelist" category="none" cs_Referer!="-"
| stats values(index) as indexes by url
| where mvcount(indexes)=1 AND indexes="bcoat_logs"
Produces results, but I need to confirm the output data.
What I am trying to do is look up all the urls in the proxy_logs where the url with an unknown category that does not match the cs_Referer then mark it as a "miss".
Then check the "miss" results against the second index "websitelist" url
Other issues is that the "proxy_logs" outputs url not just as a domain name... http:// , www. etc. The "websitelist" has just the domain.
Thanks,
... View more