Hi Splunkers,

I have query where i want to filter out all the legitimate process by path process which ive identify that path is legit. Basically this query i custom from ESCU, where all the element i already setup to match exactly the same with the existing escu query. 

What i expect is the result display will be not from the lookup (whitelist process) that i call from the query.
Field : process , process_path

| tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name, Processes.parent_process_path
| rename Processes.process_name as process, Processes.parent_process_path as process_path
| rex field=user "(?<user_domain>.*)\\\\(?<user_name>.*)"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search
[| tstats count from datamodel=Endpoint.Processes by Processes.process_name, Processes.parent_process_path
| rare Processes.process_name limit=30
| rename Processes.process_name as process, Processes.parent_process_path as process_path
| lookup update=true lookup_rare_process_allow_list_default2 process, process_path OUTPUTNEW allow_list
| where allow_list="false"
| lookup update=true lookup_rare_process_allow_list_local2 process, process_path OUTPUT allow_list
| where allow_list="false"
| table process process_path ]
| `detect_rare_executables_filter`

as you can see above query, the second "tstats" consist of two lookup, which first lookup definition (lookup_rare_process_allow_list_default2) is whitelist on totally existing process (ex: splunk process) and the second lookup definition used (lookup_rare_process_allow_list_local2) is the all list of whitelist process. 

The above query is running fine if i change both lookup definition line into below:

| lookup update=true lookup_rare_process_allow_list_default2 process OUTPUTNEW allow_list
| where allow_list="false"
| lookup update=true lookup_rare_process_allow_list_local2 process OUTPUT allow_list
| where allow_list="false"

But what i want is not on the field=process, but on field=process_path. I've read the doc for lookup and other community postage, seem should be no issue. No error display for first query if run. Just result is empty and i think some string is not pass to display the result. Really glad if someone can help me on this. thanks!