So, I am trying to use a lookup table spammer.cvs to filter out results from my search but can't get the filtering logic down to make it work completely.
Table
A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}
fred@flintstone.com, ,tinker@sbuggy.com, , ,
,*@bbunny.com,mmouse@wd.com, , ,
,*@wd.com, ,*@bbunny.com, ,
, , , ,myemail@me.com
I can get this to work;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender]
| table _time, A1Sender, A2Sender
How do I code something like;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender
| fields A1Sender_domain, A2Sender
| fields A1Sender_domain, A2Sender_domain
| fields Recipient{}]
| table _time, A1Sender, A2Sender
If I am following you right, my search without any exclusions will return the fields A1Sender, A2Sender, Recipients{} plus some other fields not related to the lookup csv such as user, _time, src_ip ...
The csv contains A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}. The data for each roll is manually added into the csv as they are discovered. Not every field is filled as in the example below.
A1Sender A1Sender_domain A2Sender A2Sender_domain Recipient{}
fred@flintstone.com tinker@sbuggy.com
*@bbunny.com, mmouse@wd.com
*@wd.com, *@bbunny.com,
myemail@me.com
Please can you clarify what fields you want to use from the lookup table and which fields in your search you want them compared to?
A1Sender, A2Sender and Recipients{} are fields within the events.
I am looking to exclude anything in the lookup table from the results found in {mysearch}
If fields A1Sender, A2Sender contain values then omit them from the results. This works in the first example but getting the rest to work have been difficult.
If field Recipient{}] contain values then omit them from the results.
If field A1Sender_domain, A2Sender convert A1Sender_domain into A1Sender and use A2Sender to omit from results
If field A1Sender_domain, A2Sender_domain same as above by A2Sender_domain will be A2Sender.
Did that answer your question?
Which fields do you have in your lookup and which fields do you have returned by your event search?