index=test action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT [| inputlookup Email_exclusion]
This is my search. I am trying to exclude the dest_ip from the lookup table from the search. It was working before and suddenly stopped.
Any idea what could have gone wrong?
What do you get if you run the following search | inputlookup Email_exclusion
?
Unless you get a single column table headed dest_ip then the search will not exclude values as you hope. There may be a problem with the lookup table.
Yeah did that and I could see the results of my lookup table...
In the Job Inspector, you should be able to see what the expanded subsearch looks like (have a look for the section remoteSearch)
It should look something like:
index=test action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT (dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x)
That is, it will show the expanded subsearch. Is that how it looks?
Here is how it looks like:
search index=test action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT ( ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) )
What changed between when the search worked and when it suddenly stopped?
I am not sure, it was working a week before.. the same query... but now i see no results though there are logs