I have an inventory csv file and want to do an open text search for all the hostnames in my lookup table. The reason I say "open text search" is because the hostname field is named differently across various indexes so I can't point my LUT column to a specific log field.
I am basically trying to avoid the below query as I don't want to type out (copy+paste) all the hostnames
index=web OR index=main OR index=os (host1 OR host2 OR ... host n)
My current query is:
[| inputlookup hosts.csv
| fields name
| stats count by index sourcetype
The first query works perfectly! The tstats doesn't seem to work as I get the error, Error in 'TsidxStats': WHERE clause is not an exact query. The hostnames have "." in some of them, not sure if that is the problem.