- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to create a correlation search that imports a lookup table called ExpiredIdentities.csv then it takes all the entries in the Identity field and runs an independent search for any activity(events) associated with that identity.
Thanks for the help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about using that lookup with the ExpiredIdentities.csv like
ID ExpDate
A x
B y
Then run a search on whatever data you may have about that identity:
index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate
Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about using that lookup with the ExpiredIdentities.csv like
ID ExpDate
A x
B y
Then run a search on whatever data you may have about that identity:
index=foo sourcetype=bar | lookup ID OUTPUT ExpDate | where _time>ExpDate
Or just create a lookup associated directly with the the sourcetype "bar" and have it run automatically
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Forgot to add Only events past expired date.
