I am trying to only include dest_ip  in my search if action is not "blocked.  These are the input panels:     <input type="dropdown" token="my_action" searchWhenChanged="true"> <label>Action</label> <choice value="*">any</choice> <choice value="allowed">allowed</choice> <choice value="blocked">blocked</choice> <prefix>action=</prefix> <change> <condition label="blocked"> <unset token="is_not_blocked"></unset> </condition> <condition label="allowed"> <set token="is_not_blocked">true</set> </condition> <condition label="*"> <set token="is_not_blocked">true</set> </condition> </change> <default>*</default> </input> <input type="text" token="my_dest_ip" searchWhenChanged="true" depends="$is_not_blocked$"> <label>Destination IP address (CIDR okay)</label> <default>*</default> <prefix>dest_ip=</prefix> <initialValue>*</initialValue> </input>     This is the search:     <panel> <title>Network Connections by Source</title> <table> <title>Count of network connections by source - click on a line for list of sessions from that source</title> <search> <query>index=proxy $my_host$ $my_src_ip$ $my_dest_ip$ $my_url$ $my_action$ | lookup dnslookup clientip as src_ip OUTPUT clienthost as Host | stats count by src_ip Host action | table src_ip, Host action count | sort -count | rename src_ip as "Source_IP" action as Action count as "Count"</query> <earliest>$time_range.earliest$</earliest> <latest>$time_range.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">20</option> <option name="dataOverlayMode">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> <drilldown> <set token="drill_client_ip">$row.Source_IP$</set> <set token="drill_url">*</set> <set token="drill_dest_ip">*</set> <set token="drill_action">$row.Action$</set> </drilldown> </table> </panel>     The input panel for my_dest_ip disappears when I select "blocked" in the action panel, but the search still includes dest_ip=*.  What am I not understanding? ... View more

I have a search that writes to a lookup table.  I would like to run this search once a month and update (overwrite) the lookup table.  I see that I can schedule reports, dashboards, and alerts.  Is it possible to do it with a search that writes to a lookup table file? ... View more

I have a lookup table named ics_special_domains that contains this: domain_name,type microsoft.com,microsoft *.microsoft.com,microsoft google.com,google *.google.com,google nwngms.com,ot *.nwngms.com,ot gasco.com,it *.gasco.com,it I'm trying to use this in a search to filter on specific types, but I'm trying a basic search first.  This is the most basic search I'm trying: index=ics_dns ( query_type="A" OR query_type="AAAA" ) | lookup ics_special_domains domain_name as query{} outputnew type as domain_type | where domain_type="microsoft" It returns this error: basic_string::erase: __pos (which is 18446744073709551615) > this->size() (which is 0) I'd appreciate any help figuring this out. ... View more

I have an add-on running on a heavy forwarder that is using the name of the HF as the  host.  I'm trying to change the host to something  more useful.  All of the events are of the sourcetype rubrik:*. Here is a sample event: {"_time": "2022-03-07T23:31:00.000Z", "clusterName": "my-host", "locationId": "XXXmaskedXXX", "locationName": "XXXmaskedXXX", "type": "Outgoing", "value": 0} I would like to use "my-host" as the host.  This is what I'm trying with no success. props.conf: [rubrik:*] TRANSFORMS-myhost = hostoverride transforms.conf: [hostoverride] DEST_KEY = MetaData:Host REGEX = \"clusterName\"\:\s\"(.+)\".+ FORMAT = host::$1   ... View more