Add idea_in_future.md

idea_in_future.md

@@ -0,0 +1,8 @@
+```
+index=* sourcetype=zeek*
+| iplocation prefix=Source_ allfields=true id.orig_h
+| eval "Source_Location"=case(Source_City=="Whitehall", "Lumen",Source_City== "Quantico", "MCCOG")
+| iplocation prefix=Destination_ allfields=true  id.resp_h
+| eval "Destination_Location"=case(Destination_City=="Whitehall", "Lumen",Destination_City== "Quantico", "MCCOG")
+| table sourcetype, _time, id.orig_h, "Source_City","Source_Region","Source_Country", "Source_Location",id.resp_h,"Destination_City","Destination_Region","Destination_Country", "Destination_Location"
+```