I have the following search that works but I'm trying to display more information in the search results.
I have a watchlist lookup. I use that to search notable events so that I can alert on a user or asset that is part of a new notable. I'm trying to figure out how to display the new notable in the results.
| inputlookup user_watchlist
| search _key=*
| rename _key as user
| table user asset
| dedup user asset
| eval flag="no"
| join type=left user asset
[ search index=notable
| where isnotnull(src)
| table src user _time
| mvexpand src
| mvexpand user
| dedup src user
| eval user=mvindex(split(user,"@"),0)
| eval flag="yes"
| rename src as asset
| eval asset=lower(asset)]
| where flag="yes"
Hi @bobmccoy,
this surely is a very slow search, avoid to use join command, Splunk isn't a DB!
let me understand: you want all the notables for the users in the user_watchlist lookup, is it correct?
If tis is your requirement, you could try something like this:
index=notable [ | inputlookup user_watchlist WHERE _key=* | rename _key as user asset AS src | fields user src | dedup user asset ]
| where isnotnull(src)
| mvexpand src
| mvexpand user
| dedup src user
| eval user=mvindex(split(user,"@"),0)
| rename src as asset
| eval asset=lower(asset)
Ciao.
Giuseppe