@Daljeanis
Sorry about my late reply.
I actually changed it around again so it's not using join but my solution is contained within a Dashboard where $field1$ is either an internal or external IP address (it can be 10.*) and $field2$ is optional and is usually meant to be a remote I or, DNS name if you want to specify it in order to see which internal IP visited a specific foreign address or in the absence of $field2$ see a list of internal IPs visited a remote adddress. It replaces remote IP it finds in the 10.0.0.0/8 range with a "-" if they're returned
$field1$ $field2$ | rex field=_raw "[\s]*(?$field1$)" | rex field=_raw "[\s]*(?[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})" | rex field=_raw "[\s]*(?[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3});" | rex field=_raw "[\s]*(?10\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})" | eval Assoc_Foreign_IPs=if(cidrmatch("10.0.0.0/8",Assoc_Foreign_IPs), "-", Assoc_Foreign_IPs) | stats values(Assoc_Foreign_IPs), values(DNS_Foreign_IPs_End_Semi_Colon) by specified_internal_ip, sourcetype, Assoc_Other_Internal_IPs | sort - values
... View more