Skip to main content

Hi,

I Would like to use the joinner method in my template LogPoint. Whowever, I can’t use the “{{}}” for search parameter. Could you please tell me how should I do ?

 

Here is an exemple of this tamplate :

: source_address=* display_name=* user=*] as s1 join s user=* source_host=* source_address=*  ] as s2 on s1.user  = s2.user   {{source_host}} | rename  s2.source_host  as source_host  |  process geoip(s1.source_address) as country|  rename user as User |  chart count() by User, country, source_host 

 

 

Note => I would like to search by this parameter {{source_host}}

 

Thank you in advance.

Siawash,

Hi,

 

Could you try this modified search?

> source_address=* display_name=* user=*] as s1  
join
> user=* source_host=* source_address=* ] as s2
on s1.user = s2.user
|filter source_host= {{source_host}}
| rename s2.source_host as source_host
| process geoip(s1.source_address) as country
| rename user as User
| chart count() by User, country, source_host

I added the filter line where “source_host={{source_host}} so you can search for this specific parameter.

 

 


Reply