Hello, I have a query for returning blocked data from our firewall to Google's DNS Servers - I now want to correlate this with data from our proxy to attempt to identify the user logged onto the machine. What I have written is below: | tstats summariesonly=t count as Count, dc(fw.rule) as dc_rules, values(fw.rule) as rules, max(_time) as LastSeen, values(fw.dest_ip) as Destination FROM datamodel=Firewall.fw WHERE fw.dest_ip = 8.8.4.4 OR fw.dest_ip = 8.8.8.8 AND fw.action = "blocked" BY fw.src_ip, fw.action | rename src_ip as src_host | join srch_host [ search index=proxy | fields src_host,UserName] | table src_host,Destination,action,UserName,Count The proxy index is quite data heavy so ideally I would like to set the search to have src_host as the src_host identified in the parent query. Could anyone help a.) Streamline the query to improve performance and b.) help me get it working! Many Thanks ... View more

Hello, I have a tstats query that works really well. However, I am trying to add a sub search to it to attempt to identify a user logged into the machine. Here is what I am trying to do: | tstats summariesonly=t count as Count, dc(fw.rule) as dc_rules, values(fw.rule) as rules, max(_time) as LastSeen, values(fw.dest_ip) as Destination FROM datamodel=Firewall.fw WHERE fw.dest_ip = 8.8.4.4 OR fw.dest_ip = 8.8.8.8 AND fw.action = "blocked" BY fw.src_ip, fw.action | rename src_ip as src_host | join src_host [ search index=proxy | fields src_host,UserName] | table src_host,Destination,action,UserName,Count The proxy index is a heavy index with lots of data ideally I would like to set another the search to only look for traffic from src_host and then return the username. Anyone have any ideas how I can A.) improve the search and B get it to work 🙂 Many thanks! ... View more

Hello, I have a search like below: index=mail | recipient="joebloggs@test.com" However, I would like to build a lookup table of VIP users that I want to use for the recipient field. Is this easy to do? Thanks ... View more

Hello, I have an alert setup that I would like to send to end users however I want to change the from address in the email alert. Are you able to change the from field for specific alerts? Ta. Pete. ... View more

Hi, I have a tstats query working perfectly however I need to then cross reference a field returned with the data held in another index. Example query which I have shortened | tstats summariesonly=t count FROM datamodel=Datamodel.Name WHERE earliest=@d latest=now datamodel.EventName="LOGIN_FAILED" by datamodel.EventName, datamodel.UserName What I am after doing is then running some kind of subsearch to query another index to return more information about the user. I thought of doing something like | tstats summariesonly=t count FROM datamodel=Datamodel.Name WHERE earliest=@d latest=now datamodel.EventName="LOGIN_FAILED" by datamodel.EventName, datamodel.UserName | [search index=ad Name=datamodel.UserName] However it doesn't seem to like it. Can someone point me in the correct direction I am banging my head on the wall! Thanks! ... View more

Hello, I have a search woring which returns single IP addresses as source for certain events. As part of this I want to pass the source address into the eval function. I have eval working with "eval ip = "10.0.0.2" I am then passing this into a lookup table and everything is great but I want to automate this so that the results from source are automatically passed through eval IP and then matched on my lookup so that I can return additional information form the lookup. However I can't get the eval function to use the results from the source field returned as per the search. I have tried the following: eval IP = source eval source as IP I must be missing something can someone put me out my misery please? ... View more