I have a field named failcode with numerous fail code names structured like this:
date | failcode | count |
2021-10-01 | g-ab | 123 |
2021-10-01 | g-bc | 258 |
2021-10-01 | g-cd | 369 |
2021-10-01 | c-ab | 456 |
2021-10-01 | c-bc | 124 |
2021-10-01 | c-cd | 325 |
2021-10-01 | d-ab | 854 |
2021-10-01 | d-bc | 962 |
2021-10-01 | d-cd | 362 |
2021-10-01 | d-dd | 851 |
2021-10-02 | g-ab | 963 |
2021-10-02 | g-bc | 101 |
2021-10-02 | g-cd | 171 |
2021-10-02 | c-ab | 320 |
2021-10-02 | c-bc | 214 |
2021-10-02 | c-cd | 985 |
2021-10-02 | d-ab | 165 |
2021-10-02 | d-bc | 130 |
2021-10-02 | d-cd | 892 |
2021-10-02 | d-dd | 964 |
2021-10-03 | g-ab | 653 |
2021-10-03 | g-bc | 285 |
2021-10-03 | g-cd | 634 |
2021-10-03 | c-ab | 689 |
2021-10-03 | c-bc | 752 |
2021-10-03 | c-cd | 452 |
2021-10-03 | d-ab | 365 |
2021-10-03 | d-bc | 125 |
2021-10-03 | d-cd | 691 |
2021-10-03 | d-dd | 354 |
I want to only keep certain codes: g-ab, c-cd, and d-dd and not display the rest in my results. Essentially I just want to display certain results from my failcode column.
To filter your results, use the search or where command.
... | search failcode IN ("g-ab", "c-cd", "d-dd")
... | where IN(failcode, "g-ab", "c-cd", "d-dd")
For better performance put the IN option from the search command above in the base search.
index=foo failcode IN ("g-ab", "c-cd", "d-dd")
| ...
To filter your results, use the search or where command.
... | search failcode IN ("g-ab", "c-cd", "d-dd")
... | where IN(failcode, "g-ab", "c-cd", "d-dd")
For better performance put the IN option from the search command above in the base search.
index=foo failcode IN ("g-ab", "c-cd", "d-dd")
| ...
Would this method also work with a search that is using a lookup table? I tried using the below but didn't come up with any results. Would this not work with a lookup table?
| inputlookup myfile.csv
| where IN(failcode, "g-ab", "c-cd", "d-dd")
| ...
inputlookup can be used to fetch results.
| inputlookup myfile.csv | where failcode IN ("g-ab", "c-cd", "d-dd")
are you able to see the contents of the lookup file created ? run the following command
| inputlookup myfile.csv
Yes, I'm able to see the entire contents of my lookup file. The file is structured as follows:
_time, failcode, source, failcount
It should work, I tried it out with csv file you shared.
It can either be permissions (but you're able to see contents of lookup using inputlookup).
Check the fieldnames (case-sensitive) & also spell-check
Try another way (replace with your filename) -
| inputlookup answers-571716.csv
| where failcode="g-ab" OR failcode="c-cd" OR failcode="d-dd"