IS there a way to look for data from the results of first query ?

Comments

3 comments

  • Avatar
    Graham

    Hey Ariel,

    Can you post a example of your query? You should be able to do 2 lookups in one query, if you can share what you have here I can assist. Also, if you can enable support I can help test this.

    Thanks,

    Graham

    0
    Comment actions Permalink
  • Avatar
    Ariel Badillo

    Graham, 

    The current query is: 

    _sourceCategory=qmail/logs AND _sourceHost=uklemailsc01 "alper_sunay@outlook.com
     
    this would return something like this: 
    Sep 12 15:18:00 mymailserver qmail: 1505243880.653358 starting delivery 2209296: msg 685799 to remote alper_sunay@outlook.com
     
    Then we take the delivery ID of 2209296  and run:
    _sourceCategory=qmail/logs AND _sourceHost=uklemailsc01 "delivery 2209296"
     
    This returns the failure msg. 
    Sep 12 15:18:05 mymailserver qmail: 1505243885.875806 delivery 2209296: failure: 104.47.1.33_does_not_like_recipient./Remote_host_said:_550_5.5.0_Requested_action_not_taken:_mailbox_unavailable._[VE1EUR01FT043.eop-EUR01.prod.protection.outlook.com]/Giving_up_on_104.47.1.33./
     
     
     
     

    Thank you for the reply.  I do see that support is enabled.  see below. 

    0
    Comment actions Permalink
  • Avatar
    Latimer Luis

    Below is an example of a query that performs two lookups in the same query. What we would suggest is that you apply whatever filters you can between the two lookup operators and more importantly, we suggest that you aggregate your data before the lookup for better performance. 

    _sourceCategory=foo
    | parse "remote_ip=*]" as remote_ip
    | count by remote_ip
    | lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = remote_ip
    | where !country_name="United States"
    | lookup type, actor, raw, threatlevel as malicious_confidence from sumo://threat/cs on threat=remote_ip

    0
    Comment actions Permalink

Please sign in to leave a comment.