Hello,
I know to view a csv, I can run | inputlookup asdf.csv. How would I be able to view multiple csvs in one search query?
A better solution would be:
|inputlookup file1.csv | inputlookup file2.csv append=t|...
A better solution would be:
|inputlookup file1.csv | inputlookup file2.csv append=t|...
Ah, got it. Thanks much!
My initial answer had an append=t because I normally append lookups to search results. Try this: |inputlookup c2_zeus.csv | inputlookup DNS_DOMAINS_malware.csv append=t
The c2_zeus.csv is the first. Then I have append=t after that and the second csv. My example above is exactly like how your query was stated originally. It just doesn't let you put a subsequent inputlookup command after the initial one.
You have them backwards. Swap the two. For each inputlookup after the first, you need "append=t"
|inputlookup c2_zeus.csv append=t| inputlookup DNS_Domains_malware.csv
can you post your search that is failing?
I do. It is because inputlookup is stated after the append. I can run the | inputlookup file1.csv just fine. It is the subsequent csvs I can't seem to also pull up.
make sure you have a | at the front of your search, and that it is the first command in the search.
I receive this error:
Error in 'inputlookup' command: This command must be the first command of a search.
inputlookup, append, inputlookup, append, ...?