Hi Guys,
I have a search that is working fine.. However the issue is that using the map command removes all other fields from the results - in this case only returning dest_ip. I would like to include other fields like src_ip + anyotherrelevant field data that I may want. Is there a way to return more values and just add them to the results?
Here is my search:
index=bla searchname="searchname*"
| search NOT [| inputlookup mylookup | eval dest_ip=CIDR | rename dest_ip as dest_ip| fields + dest_ip]
| search NOT [| inputlookup mylookup2 | rename Domain as url | fields + url]
| search NOT [| inputlookup mylookup3 | rename Domain as url | fields + url]
| dedup dest_ip
| join domain type=left [ search index=my_corr_search searchname="correlation_search" earliest=-1d latest=now]
| search NOT SearchValue=*
| map search="securitylookup engine=virustotal ip=$dest_ip$" maxsearches=80
| mvexpand SearchType
| eval dest_ip=SearchValue
| eval ThreatValue=8
| eval product_category="Virustotal"
| eval Tag="Malware"
| table src_ip, dest_ip, url, domain, SearchValue, Categories, Webutation, Detected_URLs, undetected_referrer_samples, Tag, domain, detected_downloaded_samples, ThreatValue, product_category
Any thoughts?
Thanks!
