Hi,
I need to filter the results that are present in the lookup tables. This search is what I have used:
index=* sourcetype="pan:threat" action=allowed | stats count(threat_name) by threat_name NOT [|inputlookup paloaltosignature | table signatures | rename signatures as threat_name]
but there are no results. I have checked the search separately and it is working.
Can somebody tell me what is the problem with the search?
Regards,
You are missing a search command before the NOT. Try this
index=* sourcetype="pan:threat" action=allowed | stats count(threat_name) by threat_name | search NOT [|inputlookup paloaltosignature | table signatures | rename signatures as threat_name]