Solved: How to filter results from Lookup?

alexspunkshell · ‎06-10-2021

In my search results, I have multiple results for "Alert" & "UPN"

I want to only include "Alert=Anonymous IP address" for specific 10 "UPN" and other results to ignore.

So I made a lookup table to filter it. However, multiple other "Alert" results are also included in my search results for the "UPN"

Query

........
| lookup Trusted_Anonymizer Alert_UPN as UPN
| eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No")
| search Anonymizer_alert=Yes
|table Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert

Spoiler

........
| lookup Trusted_Anonymizer Alert_UPN as UPN
| eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No")
| search Anonymizer_alert=Yes
|table Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert

........| lookup Trusted_Anonymizer Alert_UPN as UPN | eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No")| search Anonymizer_alert=Yes|table Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert

@scelikok @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana @to4kawa @woodcock

to4kawa · ‎06-11-2021

The data and lookup samples are not obvious, so I am not sure.

alert="Anonymous IP address" | lookup ....

I suppose the order is this.

View solution in original post

to4kawa · ‎06-11-2021

The data and lookup samples are not obvious, so I am not sure.

alert="Anonymous IP address" | lookup ....

I suppose the order is this.

How to filter results from Lookup?

eval

field extraction

lookup

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms