Here is my SPL, what am I doing wrong?
|tstats count from datamodel=Authentication where ([|inputlookup threatconnect_ip_indicators.csv | fields ip | rename IP AS Authentication.src]) by Authentication.src, Authentication.user, Authentication.dest, Authentication.action
|rename Authentication.src as SRC, Authentication.user as USER, Authentication.dest as DEST, Authentication.action as ACTION
|table USER SRC DEST ACTION count
Hi,
Please try below query, also make sure that IP address column header is case sensitive in inputlookup command
|tstats count from datamodel=Authentication where ([ inputlookup threatconnect_ip_indicators.csv | fields ip | rename ip AS Authentication.src | format ]) by Authentication.src, Authentication.user, Authentication.dest, Authentication.action
|rename Authentication.src as SRC, Authentication.user as USER, Authentication.dest as DEST, Authentication.action as ACTION
|table USER SRC DEST ACTION count