We did a similar thing and it is easier than you think. Define this macro:
[SIEMMacro_Filter_Analyst_Exclusions(2)]
args = typeNameString_INPUT, fieldPrefixString_INPUT
definition = [| inputlookup SIEMLookupAnalystFilter\
| search Status = "Enabled"\
AND type ="$typeNameString_INPUT$"\
\
| fields - TTL *Time* *time* Status count comment* Comment* Description Vendor Product ExclusionReason type _*\
| rename * AS $fieldPrefixString_INPUT$*\
| format\
| rename COMMENT AS "Because this is always an exclusion, add a 'NOT' to the beginning"\
| eval search = "NOT " . search]
errormsg = Description: Author=Gregg Woodcock
iseval = 0
Then define a lookup called SIEMLookupAnalystFilter.csv that has a type field for your type of filter, such as Authentication_Exclusions with the rows and columns that you need. Each row will create an OR and each column will create an AND . You use it like this:
You Search Here ...
AND `SIEMMacro_Filter_Analyst_Exclusions(Authentication_Exclusions, Authentication.)`
| Your
| Other
| Stuff
| Here
If you look at some of the other fields referenced in the macro, you will get an idea of other features that we built-in, too.
... View more