Hi all, I have this need, compare a field with a series of error codes. I would not like to write in the search, any error codes, but I would like to use a lookup table. I then entered the error codes in a column (Name = Errors) of the table, but when i perform the search, they are not compared correctly.
In the column, for example, is present: login.error.1004
In the search: tag = Log | lookup ServiziApp.csv ServiceName AS Service | search Functionality = "Access" errorCode! = Errors
But the lines despite having a field = login.error.1004, are displayed. Checking the extracted fields, the errorCode field contains login.error.1004 and the Errors field also contains login.error.1004.
Thanks in advance
OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want
In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.
Firstly, the search command does not compare field against field, so the
errorCode! = Errors
is actually looking for the text Errors in the errorCode field.
replace the search with
| where Functionality="Access" AND !match(errorCode, Errors)
however, do you have the same ServiceName more than once in the lookup file. If so, then you will have Errors as a multi value field, and you would have to use something like
| where !in(errorCode, Errors)
for that case.
Hi Bowesmana and thanks for the response.
match work correctly with one error code, if i add other error codes in the lookup table, !IN(errorCode, Errors) does not work, i.e. the search does not filter these cases.
This is the contents of the lookup column:
login.error.E99999 login.error.10002
OK, there's the issue - the lookup will not perform a wildcard match for the event error code against any value in the column from the lookup. You can make the lookup support wildcards, but what you actually want here is multiple values, so I suggest that you make a new row in the lookup for each error code you want
In that case, the in() logic will work when you do the lookup, as all the errorcodes from the lookup file matching the service you are looking for, will be returned as a multi-value field and then the in() can find it.
Thanks again, adding the error codes on multiple lines works