I need the field "Location" added to my search as seen in the screenshot attached. However, in this query below the Location field does not pull through and I have identified that it does work when the | stats values(con_UL) as con_UL by machine line is excluded.
Query below:
index=windows host=*nas* source=WMI:Shares
| eval machine=lower(host)
| eval drive = Path
| rex field=drive "(?P<Drive>\w+)\:"
| eval con_splunk=machine. "," .Drive
| eval con_splunkUL = upper(con_splunk)
| join type=left machine
[ search index = varonis source = otl_varonis_monitoring sourcetype="csv"
| eval machine = lower(machine)
| rex field=Share "((?<drive>\w+)\$)"
| eval con=machine. "," .drive
| eval con_UL = upper(con)
| table machine, Location
| stats values(con_UL) as con_UL by machine ]
| eval MonitoringStatus = if(like(upper(con_UL),"%".upper(con_splunkUL)."%"), "Monitored", "Not Monitored")
| eval Action=if ((MonitoringStatus="Not Monitored")AND(like(Path,"%Hosting%")),"Action Required","No Action Required")
| dedup machine, Drive, Path, MonitoringStatus
| table machine, Drive, Path, MonitoringStatus, Action, Location
| sort +str(type), machine
... View more