Current search is essentially this:
| tstats values(All_Traffic.src) as src
| lookup mythreatlist IOC as dest OUTPUTNEW list
| search NOT whitelistedSources
| search NOT whitelistedDestinations
The tstats model uses a sourcetype the returns logs that do not have the URL in them, only destination IP. This cannot change. A second sourcetype, stURL, does have the URLs. I am looking for a way to use a subsearch/join so that I can exclude all source IPs where the URL is splunkdotcom, even if the IP for splunkdotcom is on my threat list.
I have tried to create the subsearch
[search index=A sourcetype=stURL url="*splunkdotcom*" | fields src]
to obtain all source IPs that visited splunk.com and then exclude them from my tstats search but it does not appear to be working as intended.
... View more