I'm a little stumped with what I am trying to achieve with the lookup of values from a CSV, which are based on the search results I get when performing a search.
CSV is defined as an inputlookup and contains field1,field2
When I search, I will have a value returned that is in the format of field1 in the CSV. And, I would like to display the corresponding field2 in my search results. For example: username,displayname.
I've looked at the inputlookup and lookup documentation, but am unsure on how to pass results or filter a subqueries results for the value.
Searching a lookup file named foo.csv that contains "field1" and "field2" is simply ... | lookup foo.csv field1 OUTPUT field2
.
This means you will need a field called "field1" before calling lookup
. The SPL for that is index=myindex field1="*" | lookup foo.csv field1 OUTPUT field2
.
What if your events don't have a field called "field1"? The lookup
command allows for that as in this example
index=myindex username="*" | lookup foo.csv field1 as username OUTPUT field2 as displayname | table username displayname