hello ervery: Scenario: In my case,I use daily search create DnsQueryLog.csv,record the domains inquired every day in this *csv file(Not repeating),And I hope to find a new query domain by comparing these domains every day. Problem: Now I have DnsQueryLog.csv contains 8,038 domains ,and I confirmed that data can be displayed using the following command: | inputlookup DnsQueryLog.csv And I use the following command wnat find some new query domain today, sourcetype="isc:bind:query"
| stats count(query) by query
| sort - count
| fields query
| search NOT
[| inputlookup DnsQueryLog.csv] But it's not work,In this test, the number of domains queried today is equal to the data in the csv file, which is also 8,038 , My understanding is that if it runs correctly, the number of search data should be 「0」,But it shows 8038 records, which confuses me .Can someone help me confirm which part I am doing wrong? p.s I have confirmed that the domain name in the csv file is the same as the query result.(8,038) The csv field name is the same as the output field of the query result. Sincere thanks
... View more