Good Day,
I am working with the following:
Through an indexer I have Three fields of interest, Field A, Field B, and Field C. I also have a CSV file as a lookup file with the same fields which I will call Field A1, Field B1, and Field C1. The CSV File also has two further fields of interest that I will call Fields D1 and E1.
I have been trying to do a search string where if the Field A, B and C equals Fields A1,B1,and C1 in the CSV that Fields D1 and E1 will be added to the event results.
I tried the following (basic indexer search string to get Fields A,B and C|lookup CSV FieldA1 FieldA2 FieldA3|where FieldA and FieldB and FieldC = FieldA1 and FieldB1 and FieldC1| (I have tried append, output etc... with either nothing coming up or errors).
I know I am missing something (and it is probably something simple).
Any assistance would be appreciated.
Thanks,
Ed
All you need is the lookup command. It will do the matching for you so there's no need for where.
index=foo
| lookup lookupfile.csv FieldA1 as FieldA FieldB1 as FieldB FieldC1 as FieldC OUTPUT FieldD1 FieldE1
All you need is the lookup command. It will do the matching for you so there's no need for where.
index=foo
| lookup lookupfile.csv FieldA1 as FieldA FieldB1 as FieldB FieldC1 as FieldC OUTPUT FieldD1 FieldE1
Worked perfectly, thank you for the help.
Cheers,
Ed