sourcetype=firewall action=pass action=proxy
| bin _time span=5m
| dedup srcip
| eval Time = strftime(_time,"%Y-%m-%d %H:%M:%S")
| table Time, srcip, srcport, dstip, dstport, app
| outputlookup vpn.csv
This is my first search to create a lookup.
And my 2nd search is
sourcetype=dhcp
| lookup vpn.csv srcip AS dest_ip
| search Time=*
| eval event_time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| where _time < event_time
| stats latest(dest_nt_host) as dest_nt_host by dest_ip
| outputlookup append=true vpn.csv
Actually I'm not getting any errors, just my lookup is not updating. That's the problem.
... View more