Created a lookup table for Common File locations. I am going to filter these out of results using the lookup table, however there are a few customers we have where certain files are not authorized (despite of real world clean), so I would need to show results for these customers.
Basically, if C:\Program Files (x86)\Mozilla Firefox\Firefox, filtering this out with the lookup table... However, if customer=exampleCustomer, then the result should still display. Is this possible using lookup tables, or do I need to specifically search customer without the lookup.
i agree with @somesoni2 . if it is something you can add to your base search, i definitely would do it that way.
another way would be something like this:
base search
|join type=left interesting_field [|inputlookup lookupfile.csv|table interesting_field field_names]
|eval keep=if(customer=example_customer OR customer=example_customer_2 OR isnull(interesting_field),1,0)
|search keep=1
|rest of search
i agree with @somesoni2 . if it is something you can add to your base search, i definitely would do it that way.
another way would be something like this:
base search
|join type=left interesting_field [|inputlookup lookupfile.csv|table interesting_field field_names]
|eval keep=if(customer=example_customer OR customer=example_customer_2 OR isnull(interesting_field),1,0)
|search keep=1
|rest of search
Is that the only constraint you've for you filter logic or there are many other customer/rules. If that's the only one, you could do something like this
index=foo sourcetype=bar ( [| inputlookup yourFilterLookup.csv |... table source ] AND customer!=exampleCustomer) OR (customer=exampleCustomer) ...| rest of the search...
So, the lookup filter will be applied only when customer is not "exampleCustomer". When customer is "exampleCustomer" all results are returned.
There are a lot of customers and rules... Was looking not to have to specifically rule it out, but if that is the only way, I will deal with the cards I've been dealt.
Basically, I want to filter out 50 alerts for first_customer, a completely different set of rules to filter for second_customer, and so on, up to about 25-30 customers. I think it would be much better to do this through one CSV lookup, just unsure how to specify to meet my needs.