Hi @Pooja_R, I agree with @yuanliu , could you better describe what in your search don't work? Anyway, to display a value field in a stats command, you can use the values() option, something like this: <your_search> | bin _time span = 5m | stats dc(D_IP)as dest_ip_count earliest(_time) AS start_time values(host) AS hostname values(dest_ip) AS dest_ip BY src_ip | search dest_ip_count>3 | eval start_time=strptime(connection_start_time,"%Y-%m-%d %H:%M:%S") | sort -dest_ip_count Ciao. Giuseppe ... View more

Look up the src_ip (make sure the lookup definition says CIDR match) If the lookup finds a match then the src_ip is allowed, therefore, if there is no match applications will be null | lookup cidr_vpc.csv allowed_cidr as src_ip OUTPUT applications | where isnull(applications) | table _time,host,sourcetype,src_ip,dst_ip ... View more