I've been working on a report that shows the dropped or blocked traffic using the interesting ports lookup table. I want to change this to search the network data model so I'm not using the "*" for my index. Any help on this would be great. Thanks.
index=* action="blocked" OR action="dropped" [| inputlookup interesting_ports_lookup | fields dest_port] | table dest_port, dest_ip, src, app
↧