I have the following query -
index=_internal
host = <host1> OR
host = <host2> OR
host = <host3>
| table _time host | dedup host
| sort host
I would like to run this commmand via a inputlookup
. So, I created this lookup and | inputlookup hosts_05_25_18
shows the host names.
How can I run the above query using this inputlookup
?
Similar to the case at inputlookup - How to search through all lookup fields
It's good to have here a reference to this masterpiece answer by @acharlieh - What is the basic difference between the lookup, inputlook and outputlookup commands
index=yourIndex [ | inputlookup lookupname | format ]
Great @jkat54, and if the host is named differently in the inputlookup
?
Sure, try something like this
| inputlookup lookupname | eval host=‘*’.fieldFromLookup.’*’ | format
This would add wildcards around the field value before returning to the root search
For the record, eval host=host + "*"
worked to include hosts with domain names...