Hi,
In order to parametrize the search, I created a lookup with a couple of numerical values that I would like to easily change when necessary.
the format of the csv file (test.csv) is the following (this format could be changed based on the answers to this post)
Threshold Value
name1 value1
name2 value2
the only way to do what I want is the following query
| eval tempField="name1"
| lookup test.csv Threshold as tempField OUTPUT Value as test1value
any better or more efficient way of doing this?
I was imagining something like the line below but it didnt manage to make it work.
| lookup test.csv Threshold as "name1" OUTPUT Value as test1value
thanks!
Are you looking to have both values available at the same time? If so, you might consider changing your lookup to
testvalue1 | testvalue2 |
value1 | value2 |
then use inputlookup to add them to your search
I created the CSV the way you proposed as I need to have both fields at the same time and I tried the following
index=_internal
| head 5
| inputlookup append=t test.csv
but it only creates new columns in a new event
index=_internal
| head 5
| inputlookup append=t test.csv
| eventstats values(CriticalDefault) as CriticalDefault values(WarningDefault) as WarningDefault
| where isnotnull(_raw)