I have a subsearch doing "| inputlookup" against a CSV... the implied operator is equals. "Column/Field = Cell Value" ... is anybody aware of a way to overload or modify that operator from equals to IN. For example, if my cell value is a comma-separated list value1,value2
I dont want the search to be field="value1,value2"
I would want the search to be field IN (value1,value2)
Example search:
|tstats count WHERE [inputlookup test.csv]
Example: test.csv:
mycolumn
value1,value2
Desired expanded search:
|tstats count WHERE mycolumn IN (value1,value2)
Actual expanded search:
| tstats count WHERE mycolumn="value1,value2"
Use this macro
:
[convert_search_from_ORs_to_IN]
definition = rename COMMENT AS "EXTREME WARNING!!! THIS IS ONLY VALID IF YOU ARE USING A SINGLE FIELD!!!!"\
| rex field=search mode=sed "s/^\(\s*\(\s*// s/\s*\)\s*\)$/)/ s/=/ IN(/ s/\s*\)\s*OR\s*\([^=]+=/,/g"
errormsg = Description: Author=Gregg Woodcock; this is necessary because if the number of characters in a search string is too great, the search may fail; this conversion saves ~50%!
iseval = 0
Then, any place where you are doing something like this:
index=foo [|inputlookup tableOfHosts | table host]
Change it to this:
index=foo [|inputlookup tableOfHosts | table host | `convert_search_from_ORs_to_IN`]
SOLVED INTERNALLY:
Adding to the subsearch an eval split based on comma followed by an mvexpand accomplishes a similar result:
Example:
|tstats count WHERE [ | inputlookup test.csv | eval mycolumn = split(mycolumn,",") | mvexpand mycolumn ]