I have a lookup table with two values in the lookup table that I want to use in the end report.
Example: (table with and ip,source) (xxx.xxx.xxx.xxx,incident report)
I want to look at my events and find the IP in the events and then so the event data with the source from the table in the report. this way the report viewer will know what the offending IP and how the IP was added to the table.
Example Results
srcIP dstIP srcPORT dstPORT source
x.x.x.x y.y.y.y 5700 80 incident report
I have this type of search that is working:
index="my_summary" [| inputlookup lookup.csv | rename ip as query | fields query ] | top 20 srcIP dstIP srcPORT dstPORT
this search does not work:
index="my_summary" [| inputlookup lookup.csv | rename ip as query | fields query source ] | top 20 srcIP dstIP srcPORT dstPORT source
how do I do a lookup for the ip and tie the ip the the source from the lookup table? should I be using a join statement rather than a lookup?