I have the query below:
index=stats_summary dest_ip=172.*
| dedup src_ip dest_ip| map maxsearches=100 search="| inputlookup networks.csv
| eval dip=$dest_ip$
| eval sip=$src_ip$
| eval dm=if(cidrmatch(cidr,$dest_ip$),1,0)
| where dm == 1
| table * "
| table sip dip
The first query returns about 20K records. The lookup table has about 90 records. If I set the maxsearches to 100 then the query returns zero records. If I set maxsearches to 3500 then I get about 100+. According to the documentation, maxsearches controls how many times the map query iterates over each record from the first search. Any ideas on what I'm doing wrong?
↧