Hi @gcusello
Thanks for the suggestion.

I think I was not clear in asking 🙂

The actual aim is to find the count of Name present in logs and match their SubName from lookup file.
If the Name is not present,It should be displayed as New.

Name is not an already extracted field and hence I'm writing a regex to extract it.
(It is word present right before the word Error and I have written a regex for it)

Now my search has to check for the presence of Name(specific pattern through regex) in the logs,when found it has too check Whether that name exists in the lookup file and display its SubName from the lookup..If the Name is not present then it has to be displayed as New.

My senior suggested me the below query and it doesn't seem to help.

index=your_index
 | rename _raw as rawText
 | eval pattern=[ 
     | inputlookup mylookup.csv
     | stats values(Name) AS query
     | eval query=mvjoin(query,",")
     | fields query
     | format "" "" "" "" "" ""
     ]
 | eval pattern=split(pattern,",")
 | mvexpand pattern
 | eval pattern="%".pattern."%"
 | eval check=if(like(rawText,pattern),pattern,"No")
 | rex field=pattern "\%(?<pattern>[^\%]*)\%"
 | lookup mylookup.csv Name AS pattern OUTPUT SubName
 | fillnull value="New" Name
 | stats count by Name

This doesnt seem to help.
Could you kindly share your thoughts/suggestions on this pls.

Thanks in advance!

Hi,

Could you provide your suggestions pls.

Hi @prettysunshinez.
as I said, if you reach to extract the Name field, my search is the solution to your question:

 index=your_index
 | rex "your regex"
 | dedup Name
 | lookup my_lookup.csv Name OUTPUT SubName
 | sort Name
 | fillnul value="New" SubName
 | table Name SubName

If you share an example of your logs, I can help you in regexing.

If instead you cannot reach to extract the name field and you have to search the names from lookup in your search as a text string, you have to use the search that your senior suggested that's correct (it's one of my old answers!).

Ciao.
Giuseppe