Hi @yuanliu Thank you again for your suggestion Below I posted my sample search closer to the real search, where I have multiple subnets in "search filter" and additional field filter. When I...
See more...
Hi @yuanliu Thank you again for your suggestion Below I posted my sample search closer to the real search, where I have multiple subnets in "search filter" and additional field filter. When I removed the "search ip filter" and moved it up next to index=risk, the search is slower 3 seconds, but the results are the same. 1) What is the difference between using "| search ip=" and "ip="? They give the same outcome 2) Sorry about not mentioning dedup. Because dedup will remove any rows that have empty/null fields, so I put the dedup after join and adding "fillnull" command If I move it to each subsearch, I would need to add fillnull command for each subsearch and it's probably adding a delay. What do you think? I appreciate your suggestion again. Thanks Before removing "filter ip" | inputlookup host.csv
| search (ip="10.1.0.0/16" OR ip="10.2.0.0/16" OR ip="10.3.0.0/16" OR ip="10.4.0.0/16" OR ip="10.5.0.0/16" OR ip="10.6.0.0/16")
| rename ip_address as ip
| join max=0 type=left ip
[ search index=risk
| fields ip risk score contact
| where isnotnull(ip) AND isnotnull(risk) AND isnotnull(score)
| search (ip="10.1.0.0/16" OR ip="10.2.0.0/16") AND (company="compA" OR company="compB")
]
| join max=0 type=left ip
[ search index=risk ip="10.2.0.0/16"
| fields ip risk score contact
| where isnotnull(ip) AND isnotnull(risk) AND isnotnull(score)
| search (ip="10.3.0.0/16" OR ip="10.4.0.0/16") AND (company="compA" OR company="compB")
]
| join max=0 type=left ip
[ search index=risk ip="10.3.0.0/16"
| fields ip risk score contact
| search (ip="10.5.0.0/16" OR ip="10.6.0.0/16") AND (company="compA" OR company="compB")
]
| fillnull value0 score
| fillnull value="N/A" ip risk contact
| dedup ip risk score contact
| table ip, host, risk, score, contact After removing "filter ip" (3 seconds slower) | inputlookup host.csv
| search (ip="10.1.0.0/16" OR ip="10.2.0.0/16" OR ip="10.3.0.0/16" OR ip="10.4.0.0/16" OR ip="10.5.0.0/16" OR ip="10.6.0.0/16")
| rename ip_address as ip
| join max=0 type=left ip
[ search index=risk (ip="10.1.0.0/16" OR ip="10.2.0.0/16") AND (company="compA" OR company="compB")
| fields ip risk score contact
| where isnotnull(ip) AND isnotnull(risk) AND isnotnull(score)
]
| join max=0 type=left ip
[ search index=risk ip="10.2.0.0/16" (ip="10.3.0.0/16" OR ip="10.4.0.0/16") AND (company="compA" OR company="compB")
| fields ip risk score contact
| where isnotnull(ip) AND isnotnull(risk) AND isnotnull(score)
]
| join max=0 type=left ip
[ search index=risk ip="10.3.0.0/16" (ip="10.5.0.0/16" OR ip="10.6.0.0/16") AND (company="compA" OR company="compB")
| fields ip risk score contact
]
| fillnull value0 score
| fillnull value="N/A" ip risk contact
| dedup ip risk score contact
| table ip, host, risk, score, contact