Solved: How to create a base search that uses values from ...

jsven7 · ‎09-03-2020

I have a lookup table. Let's say the lookup table contains a column called "a". The "a" column contains a list of indices.

How can I perform a stats count of logs found in each index from the "a" column?

| inputlookup lookuptable.csv
| table a

richgalloway · ‎09-03-2020

If I understand the question, this may help.

| inputlookup lookuptable.csv 
| fields a
| mvexpand a
| map search="search index=$a$"

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎09-08-2020

If the field is not multivalue then mvexpand will not do anythihg to it.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎09-03-2020

If I understand the question, this may help.

| inputlookup lookuptable.csv 
| fields a
| mvexpand a
| map search="search index=$a$"

---
If this reply helps you, Karma would be appreciated.

jsven7 · ‎09-08-2020

@richgalloway - thanks Rich. May I ask, what if some of the values are multivalued, pipe-deliminated values. How may I make $a$ single-valued?

How to create a base search that uses values from a multi-value field as indices?