I have 40 usecases.
I have 800+ incidents in incident log file
Every inicident should be evaluated by these 40 usecases, and relative feedback should be added to the report .
1 incident can have 1 or more than 1 feedback depending on how many usecases turn out to be true.
Hi alfiyashaikh,
use a lookup to manage all your patterns to search:
if you have to search a value in a field, use this
your_search [ | inputlookup my_patterns.csv | table field ]
| ...
field name must be the same in search.
If instead you have to search a pattern in full text search, use this
your_search [ | inputlookup my_patterns.csv | rename field AS query | table query ]
| ...
I have a lookup with all the patterns to search typed by sourcetype, so I can use all patterns or only the ones with a specific sourcetype
your_search [ | inputlookup my_patterns.csv | search sourcetype=my_sourcetype | rename field AS query | table query ]
| ...
Bye.
Giuseppe
Hi alfiyashaikh,
use a lookup to manage all your patterns to search:
if you have to search a value in a field, use this
your_search [ | inputlookup my_patterns.csv | table field ]
| ...
field name must be the same in search.
If instead you have to search a pattern in full text search, use this
your_search [ | inputlookup my_patterns.csv | rename field AS query | table query ]
| ...
I have a lookup with all the patterns to search typed by sourcetype, so I can use all patterns or only the ones with a specific sourcetype
your_search [ | inputlookup my_patterns.csv | search sourcetype=my_sourcetype | rename field AS query | table query ]
| ...
Bye.
Giuseppe