Could someone help me with such a query? I am running a scheduled search every 30 minutes which aims to find duplicate registrations from the last 30 minutes, that were also used when compared to the last 4 hours.    Since it runs search every 30 minutes, I cannot just search using a 4 hour window, else it will keep triggering an alert every 30 minutes for 4 hours basically.    index=myindex userRegistration earliest=-4h latest=now |stats count by dc(userName) as UserCount | where UserCount>1 ... View more

I have a lookup which I want to compare search results against and find duplicate values.   How do I ignore duplicates found that already exist in my dataset? And only identify duplicates using results from my search compared to the dataset? index=myindex sourcetype=k_logs (ns4:phoneNo OR emailInfo OR address) AND DummyOrgName AND "<requestType>UPDATEUSER</requestType>" | xmlkv | rename "ns4:phoneNo" as phoneNo | search orgName = "DummyOrgName" | eval phoneAndEmail= coalesce(phoneNo, address) | fields phoneAndEmailphoneNo address ipAddress userName | table phoneAndEmailphoneNo address ipAddress userName | append [|inputlookup thisLookup.csv | table phoneAndEmail phoneNo address ipAddress userName] | stats values(phoneNo) AS phoneNo values(address) AS address values(ipAddress) AS ipAddress values(userName) AS userName dc(userName) AS UserCount by phoneAndEmail | where UserCount>2 ... View more

Need some help. I can't wrap my head around this. Need to lookup a csv which contains clientip, and compare against my results with IP also in field clientip to show in a new column as matching or not matching  | index=foo  .... [|inputlookup IPlist.csv | fields clientip | rename clientip AS knownIP] | eval isMatching = if(clientip == knownIP, "matching", "notmatch") | table clientip, field x, field y, field z, isMatching Am I way off base here? Should I be looking at other commands? I get zero results with this. Without it, my main search runs fine and many events with IPs show. Much appreciated ... View more