I am trying to perform a search and trying to add an inputlookup to filter information I don't need to know about. For example if I run the following query
index=firewall NOT [|inputlookup agent-inclusion-knownapps
| where NOT cidrmatch("x.x.x.x/x",dest_ip) AND NOT cidrmatch("y.y.y.y/y",dest_ip)
| fields agent]
| stats count by agent
| sort -count
This produces a result and the logs filter correctly (proved by removing NOT and only seeing the entries from the inputlookup; and adding the NOT and not seeing the entries from the inputlookup).
However if I then try to extend my query with the following it no longer filters and I am not sure where I have gone wrong. The query is as follows:
index=firewall "destination network"=external NOT(action=blocked) NOT [|inputlookup agent-inclusion-knownapps | where NOT cidrmatch("x.x.x.x/x",dest_ip) AND NOT cidrmatch("y.y.y.y/y",dest_ip)
| fields agent]
| stats count by agent username src dest dest_port rule action
| sort -count
↧