thanks man, run with the flow.
just for knowledge,your previous command worked well by showing all events without "|stats count by source_IPs" but when we append stats it process 14% of my file and display no results. Is stats command take too much processing??
source="/export/home/azubair/Audit_Report" NOT [ | inputlookup ip_list | fields ip | rename ip as source_IPs ] | stats count by source_IPs
... View more