In my search results, I have multiple results for "Alert" & "UPN" I want to only include "Alert=Anonymous IP address" for specific 10 "UPN" and other results to ignore. So I made a lookup table to filter it. However, multiple other "Alert" results are also included in my search results for the "UPN" Query ........ | lookup Trusted_Anonymizer Alert_UPN as UPN | eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No") | search Anonymizer_alert=Yes |table Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert ........ | lookup Trusted_Anonymizer Alert_UPN as UPN | eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No") | search Anonymizer_alert=Yes |table Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert @scelikok @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana @to4kawa @woodcock
... View more