Hello, The only count I need in my report is client_ip counts I dont understand how you can count matching events but if you can modify my last query (and replace join with something more efficient) that would be a great help. Thanks ... View more

Yuanliu thank you very much for taking your time to write and help. Below is my response 1. lets forget about outputlookup 2. original main (outer) search of network index is fast by itself given the code that includes bucket, eval and output in stats.  So the delay is not here. 3. dashboard input is account_Name and source_network_address (but i can use tokens to pass network_address) 4. since we are no longer doing lookup table it's a moot point to answer subsequent bullet items.  I'm Sorry. Someone pointed out that its possible to reduce network output by passing parameter to the outer main search using "format" While that code drastically reduces returned set of data from network, query I now need to rethink how to move forward from produced output. I think it a step in a right direction. Let me show what was proposed: Let me explain data structure a bit: snat and client is in a form IP:PORT So we need to match IP:PORT from network and ad indexes as well as time stamp that those events match on. output is just client_ip. i don't need to make any evaluations of count i just want to know how many client_IP we have of each New proposed code is below.  If you look at splunk logging its interesting to see how format appends to network search in form of (snat=ip1 OR snat=ip2 OR ....) index=_network sourcetype=f5 irule=* [| search index=_ad (EventCode=4625 OR (EventCode=4771 Failure_Code=0x18)) Account_Name=USER Source_Network_Address IN (IP1,IP2..) | eval Source_Network_Address1 = case(EventCode==4771, trim(Client_Address, "::ffff:")) | eval SourceIP = Source_Network_Address | eval snat = SourceIP+":"+Source_Port | fields snat | format ] ```passes formated string to main search for _network to find only those snats``` | table client snat _time ```| join type=inner snat _time [ search index=_ad (EventCode=4625 OR (EventCode=4771 Failure_Code=0x18)) Account_Name=USER Source_Network_Address IN (IP1,IP2..) | eval Source_Network_Address1 = case(EventCode==4771, trim(Client_Address, "::ffff:")) | eval SourceIP = Source_Network_Address | eval client = SourceIP+":"+Source_Port | table snat_time] | rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)" | stats values(client_ip)``` ... View more

Matching on both fields is paramount here Including buckets of time of 1minute  Also, Network query count is 10million events (give or take )in 24 hour window.  So imagine running this for 10 days ... View more

So that worked!  However, it created a new problem.  It runs sooo long. I was talking another engineer and he suggested to do outputlookup just for the small _ad index. than use that data to match just like in this example by @ITWhisperer But i m not able to combine and get the output.  I'm thinking because i need to match on 2 columns instead of single one as below?  search index | table host | dedup host | append [ | inputlookup lookupfile | table host | dedup host ] | stats count by host | eval match=if(count=1, "missing", "ok")   ... View more

That returns client and client_ip just fine Seems like splunk cares which index is mentioned furst? ... View more

client_ip is not getting returned.  I have tried using values() and count by. I tested rex for client_ip returns values using below test, and it does. index=_network snat IN (10.10.10.10*,20.20.20.20*) | rex field=client "^(?<client_ip>.*?)\:(?<client_port>.*)" ``` this applies to index _network ``` | table client_ip Above returns just a list of IPs from our clients.     ... View more

Example would be: clicking drilldown in first dashboard which had search set to "7 days" would take value of time picker of "7 days" and pass it to 2nd dashboard on click.  That way my 2nd dashboard will also open up with 7 day search. ... View more

Hey Guys how do i perform same thing inside Dashboard Studio?   Thanks ... View more