Hello All.
I am trying to use a lookup to perform a tstats search against a data model, where I want multiple search terms for the same field. However, I cannot get this to work as desired. I have an example below to show what is happening, and what I'm trying to achieve.
I have a lookup file named search_terms.csv:
process_exec | process | process |
someexe.exe | *param1* | *param2* |
Given this lookup file, here is the expanded search I am trying to achieve:
| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest
Here is the first search I tried:
| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest
However, expanding this search leads to the second process column being ignored:
| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1*) by Processes.dest
Since this did not work, I tried editing the lookup file to look like this:
process_exec | process |
someexe.exe | *param1*|||*param2* |
Then I used makemv to make the process field multivalue:
| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where [ | inputlookup search_terms.csv | fields process_exec process | makemv delim="|||" process | rename process_exec AS Processes.process_exec | rename process AS Processes.process ] by Processes.dest
However, this search expanded lead to an "OR" being used for the 2 process query values, instead of an "AND":
| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND (Processes.process=*param1* OR Processes.process=*param2*)) by Processes.dest
Does anyone know of a method to create a search using a lookup that would lead to my desired search of:
| tstats summariesonly=false allow_old_summaries=true count from datamodel=Endpoint.Processes where (Processes.process_exec=someexe.exe AND Processes.process=*param1* AND Processes.process=*param2*) by Processes.dest
Check out the format command. It lets you change how the result of the subsearch is formatted, including replacing OR with AND.
This is exactly what I needed, thank you! I was able to append the following to my subsearch to get the desired result:
| format mvsep="AND"
Check out the format command. It lets you change how the result of the subsearch is formatted, including replacing OR with AND.