Hi,
I am running the below search query and get the error "[subsearch]: Subsearches of a real-time search run over all-time unless explicit time bounds are specified within the subsearch"
index="webproxylogs" [|inputlookup Blacklist_URLs.csv | rename Malicious_URL as cs_host | fields + cs_host |dedup cs_host |fields cs_host] NOT [|inputlookup Whitelist_URLs.csv | rename Non-Malicious_URL as cs_host | fields + cs_host |dedup cs_host |fields cs_host]
In my search, I am trying to get the list of internal hosts accessing the domains listed in blacklist_urls.csv and excluding the whitelist domains (like google, yahoo,etc.,) listed in Whitelist_URLs.csv . If the well known domains like google.com are accidentally added to blacklist_url.csv, they get excluded by the whitelist_urls.csv.
The above search query was giving me results, however in the recent past (last 45 days) this search query gives me the subseach time limit error mentioned above. Please help me to rectify this issue. Thanks
... View more