Forum Discussion
Searching by more than one field when using a watch list
Hi there, I'm trying to filter by multiple fields in a watchlist. Something similar to the below, but with the fields user, src and dest. | where SrcIP !in ((_GetWatchlist('WL_Global') | proj...
ChristopherKerry Ofer_Shezaf
To expand on this:
| search NOT [| inputlookup LOOKUP | fields src dest dest_port app
Splunk is parsing all the fields or columns you currently have available and matching them to the lookup, it then compares the value of that field and when it finds a match removes the result from our search.
I suppose a less verbose but similar approach in KQL land would be:
| where (SrcIP or User or Dest) !in ((_GetWatchlist('WL_Global') | project user, src, dest
Currently, the above doesn't work and you do have to individually split out your where filtering:
I can see both sides, but it's far more verbose in KQL making readability more of a struggle.
Javier-Soriano
Microsoft
MicrosoftTagging UriBarash and Deepak Agrawal for visibility