Usage Tips and Best PracticesTo optimize the use of the vt command and make your SPL searches cleaner and more efficient, consider the following tips.1. Extracting Only VirusTotal FieldsAll fields generated by the vt command are returned with the prefix vt_. This makes it easy to isolate only the enrichment fields using SPL commands such as table or fields.Example using tableand fields... | vt hash=sha_256 | table vt_*... | vt ip=dest_ip | fields vt_*This is useful when you want to keep only VirusTotal-related data and hide the rest of the event fields.2. Filtering Only Successful ResultsSince the vt command always generates a field named vt_result, you can easily filter events based on whether the enrichment was successful.Keep only succesful results:... | vt ip=dest_ip | search vt_result="success"This ensures you are only working with IOCs that were correctly analyzed by VirusTotal.3. Identifying Failed Enrichment AttemptsTo troubleshoot or measure failure rates, you can filter for events where the VirusTotal call did not succeed.Show only failed enrichments:... | vt url=url | search vt_result!="success"This will display events where:the API Token was invalidthe proxy configuration failednetwork issues occurredVirusTotal rejected the request