So here is my existing query as it runs now sourcetype=snort [search sourcetype=snort |top limit=20 src| table src] | stats count, values(signature) as Sigs by src | sort -count | lookup dnslookup clientip as src OUTPUT clienthost as DST_RESOLVED | iplocation src | fields src, count, Country, DST_RESOLVED, Sigs | rename src as "Source IP", count as Count, DST_RESOLVED as "DNS Resolution", Sigs as Signatures I am not the original builder of this query but I am editing it. these are normalized snort logs. Id like to return the top 20 signatures by source, while displaying source (src), count, country, dns rsolution (dnslookup) and signature (sigs) There are signatures i want to completely exclude by (sig_id), and then there are signatures i would like to exclude where signature has specific src or cidr range. I seem to be creating unbalanced parenthesis when trying my boolean expressions or Wheres. Please assist
... View more