Hi,
I Would like to use the joinner method in my template LogPoint. Whowever, I can’t use the “{{}}” for search parameter. Could you please tell me how should I do ?
Here is an exemple of this tamplate :
[ source_address=* display_name=* user=*] as s1 join [ user=* source_host=* source_address=* ] as s2 on s1.user = s2.user {{source_host}} | rename s2.source_host as source_host | process geoip(s1.source_address) as country| rename user as User | chart count() by User, country, source_host
Note => I would like to search by this parameter {{source_host}}
Thank you in advance.
Siawash,
Share This Post:
Hi,
Could you try this modified search?
[ source_address=* display_name=* user=*] as s1
join
[ user=* source_host=* source_address=* ] as s2
on s1.user = s2.user
|filter source_host= {{source_host}}
| rename s2.source_host as source_host
| process geoip(s1.source_address) as country
| rename user as User
| chart count() by User, country, source_host I added the filter line where “source_host={{source_host}} so you can search for this specific parameter.
Please sign in to leave a comment.
1 comment