Are you sure you aren't supposed to be sending that token as a header? Here is an example of a working token auth handler I've written: class TokenAuth(AuthBase): def __init__(self, username, password, domain, url, **kwargs): headers={'Content-Type':'application/json'} body=json.dumps({'userName':username, 'password':password, 'authLoginDomain': domain}) r = requests.post(verify=False, url=url, headers=headers, data=body) if r.status_code==200 and 'sessionID' in r.json(): self.sessionID = r.json()['sessionID'] else: raise RequestException('Could not authenticate') pass def __call__(self, r): r.headers.update({'auth':self.sessionID, 'Content-Type':'application/json'}) return r ... View more

I just did something very similar to this for our firewall logs (I am doing almost the exact same thing as you here), I was able to speed up a search run time for a 30 day search from many many hours to a few seconds using an accelerated data model. Create a new data model named "firewall_events", and Add Object -> Root Event named "firewall_events" with constraints (possibly also include indexes as MuS suggests): (sourcetype="firewall" OR sourcetype="ips") (dest_port="21" OR dest_port="22" OR dest_port="3389") (action="blocked" OR action="denied") (dest_ip!="10.0.0.0/8" AND dest_ip!="172.16.0.0/12" AND dest_ip!="192.168.0.0/16") Next, add the fields you want with "Add Attribute > Auto-extracted", and pick out the fields you need. Turn on acceleration over the time interval you want to search (30 days for me). Last, search thusly: | pivot firewall_events firewall_events count(firewall_events) AS "Count" SPLITROW src_ip AS "src_ip" SPLITROW dst_ip AS "dest_ip" SPLITROW sourcetype AS "sourcetype" SORT 0 src_ip | iplocation dest_ip | sort - Count I haven't quite gotten the hang of the pivot command syntax yet, so I did that part in the pivot editor and then clicked "Open in Search" to finish the rest of the query. You may have to wait a few hours for the acceleration to build before you see the full speedup. Good luck! ... View more

You can use coalesce() From the docs: "This function takes an arbitrary number of arguments and returns the first value that is not null." eg: ... | lookup users.csv name as name OUTPUT code as code_lookup | eval code=coalesce(code,code_lookup) This will leave the code field as it was if it existed in the event before, but fill it with the lookup value if it was null. ... View more