Can I filter results based on the results of a Lookup?
I have a query that includes a lookup based on geocode which I think display as a chart. I'd like to always exclude results for one country (the 'united states") in the chart. How can I do that?
Search syntax is below:
_sourceCategory=syslog built outbound
| extract "OutsideInternet: *?(?<dest\_host>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| where !(dest_host matches "172.16.*") AND !(dest_host matches "192.168.*") AND !(dest_host matches "10.0.0.*")
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = dest_host
| timeslice 5m
| count by _timeslice,country_name
| transpose row _timeslice column country_name as *
-
You can add a "where" clause after the lookup leveraging any of the fields from the lookup. For example:
_sourceCategory=syslog built outbound
| extract "OutsideInternet: *?(?<dest\_host>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| where !(dest_host matches "172.16.*") AND !(dest_host matches "192.168.*") AND !(dest_host matches "10.0.0.*")
| lookup latitude, longitude, country_code, country_name, region, city, postal_code, area_code, metro_code from geo://default on ip = dest_host| where !(country_name matches "value_for_US")
| timeslice 5m
| count by _timeslice,country_name
| transpose row _timeslice column country_name as *Not sure if the syntax is exactly right, but hope the idea helps...
Please sign in to leave a comment.
Comments
1 comment