Dear to4kawa ,
now it is working good , but when I saw the command you wrote, it looks the same with the one I used but I added the name of the firstColumn OUTPUTNEW secondColumn(description of the first column)
like this:
index= xx sourcetype=ttt
|top host
|lookup xyz_lookup host OUTPUTNEW hostname(Desc)
... View more
That can be done without using join .
(sourcetype=pan:threat src IN (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12) raw_category = "web-advertisements") OR
sourcetype="WinEventLog:Security"
| eval src=coalesce(src, 'Source Address', 'Source Network Address')
| stats values(*) as * by src
| stats count values(src) as src by Account_Name
| top limit=1 Account_Name
| table src Account_Name count
... View more