I'm trying to format a search in which I have a lookup with one column, this column includes malicious email addresses, "indicator" is the field. Now I would like my search to return any events that either the "recipient" or "sender" fields match "indicator". I'm not sure how to write that query though without renaming my "indicator" field to one or the other. This is what I have so far
index=msexchange [inputlookup blocklist.csv |fields indicator |format] indicator=*
|table _time, indicator, subject
I know indicator=* will not return any results because non of my events contain that field, at the moment of writing this though, I'm wondering if eval will work for this? If I find a solution I'll post my results..
Thanks in advance, let me know if you have any questions.
... View more