I have a search that searches for source IP addresses that hit a specific site. Then takes the source IP and “appends” that to the main search. I can get this to work producing raw data entries, but I want a table with the user ID and the IP address.
This produces raw events:
index="AD" OR index="winders" [ search index="wsa" eventtype=cisco-wsa-squid usage="Violation" x_webcat_code_full!="Online Storage*" cs_url_host="www.privateinternetaccess.com" OR cs_url_host="hola.org" | fields src | dedup src ]
So where would the table statement go? I have tried at the very end outside the brackets, and before the opening bracket. None worked.
↧