Hello (again),
I have a lookup table that has 17 fields in it and 200 total records, but of interest to me is a table named "pub_table" that I want to match against records in my index=prod sourcetype=stats table_name field - which has about 1500 unique table_name entries.
When I perform the following
|inputlookup assets_mapping_flow.csv| sort pub_table|table pub_table
the data I receive is along the lines of (I'm masking the data):
flow_01
flow_02
flow_03
...
flow_200
When I do the following search for my report:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv |return 200 $pub_table] | stats dc(table_name) by table_name
this is what I receive on the report
flow_1
flow_1a
flow_1a_test
flow_2
flow_2a
I only want to see flow_1, flow_2, flow_3 and so on, so it appears that I'm getting anything that contains those expressions.
Question - how do I correct this?
Many thanks.
try something like:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |return 200 table_name] | stats dc(table_name) by table_name
or
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |table table_name|format] | stats dc(table_name) by table_name
try something like:
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |return 200 table_name] | stats dc(table_name) by table_name
or
index=prod sourcetype=stats [|inputlookup assets_mapping_flow.csv|rename pub_table as table_name |table table_name|format] | stats dc(table_name) by table_name
Yes works great, going with the first option for my case.
Thank you!