So I put together a search not too long ago with help from the community on here that would run hourly to update a lookup table I have running. What this table holds is a list of suspicious IP's that has a field saying last date seen. I previously had a search that was doing exactly what I wanted where it would update that field with the most recent date seen, but for some reason that is no longer working and I can't seem to figure out why. Instead of updating the latest date, it is showing a date from almost a month ago despite it still running and being seen as recent as today. Here is the layout of the search I had used last time.
sourcetype=blah [| inputlookup suspect_list=csv | table Susp_IP | rename Susp_IP as src_ip ]
| search Ticket_num=* | rename src_ip as Susp_IP | eval date_last_seen=_time | table Susp_IP, Ticket_num, date_last_seen
|inputlookup append=t suspect_list.csv
| dedup Susp_IP
| outputlookup suspect_list.csv
Essentially it is supposed to be inputting the lookup, searching on those IP's and updating the date last seen field, and then inputting the lookup again so that it will still keep old entries in the event those IP's haven't shown up in the last hour and not be removed. Then it combines them and outputs it back to that same lookup.
↧