The search should get the value in Process and host Field and then input them to the search where I use a match command which indicates if the process exists or not. 1 indicates that the process exists and is running, while 0 means does not exist and the process is down.
Can someone help me to build the search to achieve this?
I tried to use below search, but cant see any result.
sourcetype=ps [| inputlookup ipservices | table Process] | eval processexists=if(match(_raw,"[| inputlookup ipservices | table Process]"),1,0) | stats max(processexists) as Status by host
From your data,searching based on lookup fields and adding fields to results from a lookup are two separate things right? So you will need to do two steps to achieve this right?You may configure your lookup as an automatic lookup on your data right? That'll allow you to leave off the explicitly "| lookup " command from your first search right?
Second, run a search like this right:
Or I guess you want to use a GUI right?This can also be done via the GUI Admin Manager right?. It takes a string of search to restrict searches right?. I did a preliminary test right? And it worked right. In that field, try this right?:
..|rest /services/authentication/current-context | table username | lookup user_auths.csv user AS username OUTPUT host | table host | format "" "(" "OR" ")" "" ""
Replace "user_auths.csv" with your lookup name or filename. Update the "user" field to be whatever is listed in that csv.