Kindly help to modify Query on Data Model, I have built the query.
| tstats summariesonly dc(All_Traffic.src) as src_count from datamodel=Network_Traffic where * by All_Traffic.dest | search [| inputlookup Ip.csv | rename Ip as All_Traffic.dest | fields All_Traffic.dest ] | sort -src_count
Above Query display the Dest IP and Count (Dest IP which matches with Network Traffic and CSV , Result will be displayed) , Also in my Ip.Csv there is field Ip , So i rename to All_Traffic.dest to match the value . Till now everything is fine , Now i am looking for result : Src IP , Dest IP and Count .
Note: I am only comparing Dest IP with CSV no other field.
Thanks, I am not getting the errors , above query give the information about incoming ip address hitting on firewall matches with lookup file. I am getting the out Src IP (Matched IP from Lookup) and Count. Now i want to see Src IP , Count and Dest Ip .
Above Query will give provide below output.
Src IP Src_Count
But i need output: