Lookup tables expect to find the exact string in the given column. They do not do substring matching nor to they support multi-value. IOW, it will not find 'ip2' because the column contains the single value 'ip1,ip2,ip3'. You will need to restructure the lookup table to have a single IP address in each row. dns ip server1 ip1 server1 ip2 server1 ip3 server2 ip4 server2 ip5 server2 ip6 server3 ip7 server4 ip8 server4 ip9 server4 ip10 server4 ip11 ... View more

No, latest does not exist in the subsearch Remove it thusly: | join client_ip [...] From the join docs.splunk page: Field names must match, not just in name but also in case. You cannot join product_id with product_ID. You must first change the case of the field in the subsearch to match the field in the main search. ... View more

| makeresults | eval _raw="User,host,parent_process_id,parent_process,process_id,process,count NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10136,whoami,1 NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",10540,\"AdobeExpiryCheck.exe\",1 NT AUTHORITY\SYSTEM,Laptop,11808,\"cmd\",6764,hostname,1 NT AUTHORITY\SYSTEM,Laptop,8100,C:\WINDOWS\PSEXESVC.EXE,11808,\"cmd\",1 NT AUTHORITY\SYSTEM,Laptop,816,C:\WINDOWS\system32\services.exe,8100,C:\WINDOWS\PSEXESVC.EXE,1" | multikv forceheader=1 | table User,host,parent_process_id,parent_process,process_id,process,count | sort parent_process_id | eval processes=mvappend(parent_process,process) | dedup parent_process | stats list(processes) as processes | eval processes=mvdedup(processes) | eval processes=mvjoin(processes," -> ") ... View more