I have a main query which shows the destination IP of the computer and there are some destination IPs that I need to exempt, and there are many IP address that I need to exempt, How can I put the CSV as an exemption to the main search?
| datamodel IPP_Assets STOR search | search FTP.dest_ip!=10* **<- This should be a CSV that has a IP Addresses and need to exempt to the main search**
[| inputlookup owatch_ss_objects.csv | search inet_facing=* | rename src_ip as FTP.src_ip | fields + FTP.src_ip | format]
| fields + FTP.src_ip, FTP.dest_ip, FTP.password, FTP.arg, FTP.command, FTP.mime_type, FTP.Spike_Log
| bucket _time span=1d as Day
| timechart span=1d count by FTP.Spike_Log
↧