Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Tstats: How to Include new field?

alex4
Loves-to-Learn Lots
‎09-08-2023 12:33 PM

I want to use the new search signature="test" in the below search.

I don't want to add this new signature to the existing lookup.

 

 

| tstats summariesonly=true values  (IDS_Attacks.action) as action 
    from datamodel=Intrusion_Detection.IDS_Attacks 
    by _time, IDS_Attacks.src, IDS_Attacks.dest, IDS_Attacks.signature 
| `drop_dm_object_name(IDS_Attacks)`
| lookup rq_subnet_zones Network as dest OUTPUTNEW Name, Location
| lookup rq_subnet_zones Network as src OUTPUTNEW Name, Location
| search NOT Name IN ("*Guest*","*Mobile*","*byod*","*visitors*","*phone*")
| lookup rq_emergency_signature_iocs_v01 ioc as signature OUTPUTNEW last_seen 
| where isnotnull(last_seen) 
| dedup src 
| head 51

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...