More clarification: lookup1 and lookup2 have different fields respectively. The goal is to: - Have events from index=foo... - Show only events that match fieldA in lookup1... - Output fieldB and fieldC from lookup1... - Remove events (or not see) that match fieldX, fieldY, and fieldZ in lookup2... ... View more

No results with just the subsearch. ... View more

There is confusion with the title. The first lookup should not affect the second lookup. I am looking at lookup1 and getting results. Then I am saying do not look at events that match lookup2. ... View more

I have been using the lookup command for lookup1 and it works great. I can read, compare, and pull fields. But I can't figure out how to say ignore lookup2 events. ... View more

It doesn't pull anything. Checked the lookup, it was empty. So it should spit out results. ... View more

Oh, and thanks btw. ... View more

Why did you add the not null for fieldB? ... View more

I had a typo on my end. It works. ... View more

Sweet we are getting somewhere! I got the output of fieldB but results are still showing all results of fieldA not just what populates compared to the lookup table. <--does that make sense? ... View more

No. It is not. Should it be? ... View more

So your search might be cumbersome because you are not using metadata. Metadata is perfect for this instance and does not require Splunk to search all indexes at search time. You should use something like this... | metadata type=sourcetypes index=* Much like others above have mentioned. ... View more

Try | metadata type=sources sourcetype=* ... View more

I didn't think ES had its own .conf file. I did change the default time in the location you mentioned and followed the instructions and formatting stated in the documentation. To clarify, the search head with the ES app was changed. Within the same search head, the "Search & Reporting app does reflect the changes made. However, when you go into the ES app, and click on the "Search" tab, then the "Search" option, the setting is still set to "All Time". ... View more

What is the time spent on the search? i.e. is it already a fairly long search to complete? I was able to do something similar by utilizing a subsearch. But subsearches slow the search-time results. You can try... index=akamai src_ip!=xxx.xx.xx.xx AND src_ip!=xxx.xx.xx.xx [search index=akamai src_ip!=xxx.xx.xx.xx AND src_ip!=xxx.xx.xx.xx | lookup whitelistip.csv src_ip OUTPUTNEW src_ip as Whitelist | where isnull(Whitelist) | eval useragent=urldecode(useragent) | dedup useragent | top limit=x useragents | table http_user_agent, useragent] | stats dc(http_user_agent) AS Number_of_userAgents, list(useragent) as useragent_list, count(eval(uri_path="/search/stuff/v2")) as "SearchV2", count(eval(uri_path="shape/search/stuff/v2")) as "ShapeV2", count(eval(uri_path="/search/stuff/v1")) as "SearchV1", count as EventCount by src_ip | eval TotalCount=SearchV2+ShapeV2+SearchV1 | eval hitPercentage=(TotalCount/EventCount) * 100 | fields src_ip, Number_of_userAgents,useragent_list, hitPercentage, EventCount, SearchV2, ShapeV2, SearchV1, TotalCount If you are unsure about your subsearch just put "| format" behind it and you will see what it pipes to your search. ... View more

Ahhh. Makes sense now. Thank you. ... View more

Awesome. It worked. Can you explain why? ... View more

Have you tried... My search | timechart span=1h limit=0 count by student | anomalies by student ... View more

By mean activity, I am assuming you mean the average. | stats avg(count) by date_hour, user For standard deviation you can try something like below. Replace "n" with your amount. | eventstats stdev(count) as deviation | eval outlier=deviation*"n" | where count > outlier ... View more

The question is a little convoluted. Could you clarify if you are looking to eval between the two searches or search the "| fields..." for the entire search string? If it's the latter you can just pull it out of the subsearch. ... View more