So, it seems like I'm close, but I can't get it to output IP usage from zero to X. The below query gets me logins (event type 6152) from 1 to infinity, but no zero site usage.
lines 2 through five extract the IP from the query results and format it down to the first three octets.
When I add your query to the end of this one it no longer does the lookup against the csv file, BUT it does extract the correct number of zero usage sites from the list (I've verified it manually), so that part works.
What it doesn't do is do the lookup against the .csv and output the entire list with the 0-999 login information. I'm really new at this and sadly not a computer scientist... so I'm not sure where to go from here (for instance your suggestion to add an eval-if command... no idea what that means) and simply removing that where clause causes all IPs to report "1" login.
Here is the query I'm using now to get the login data... I know it's ugly.
index="client_index" AND Event_Type=6152
| eval new=substr(audit_filename,16,14)
| eval ip=mvindex(split(new,"_"),0)
| eval mvip=split(ip,".")
| eval site_ip_range=mvindex(movie,0).".".mvindex(mvip,1).".".mvindex(movie,2)
| stats count By site_ip_range
| sort no limit site_ip_range
| lookup site usage.csv site_ip_range output Site_Name Site_Number
... View more