I have a search that returns a list with user,dc(Country),values(Country),values(src)
I would like to only show results where a 'src' matches the ip field in lookup called 'blacklist'. The field will likely need to be renamed.
I'm having a hard time getting a search that will return only results where the IP matches the blacklist.
Search:
index=*_vpn | iplocation src | stats dc(Country),values(Country),values(src) by user
Searching the blacklist would look like (I think):
1.1.1.1 [| inputlookuip blacklist | fields src | rename ip AS src]
If anyone know how to make this work that would be greatly appreciated.
Thanks
Try the following:
index=*_vpn [| inputlookup blacklist.csv | rename ip AS src | table src]
| iplocation src
| stats dc(Country) as CountryCount values(Country) as Country values(src) as srcIPs by user