Hi,
I'd like to search our log for multiple possible errors from our lookup file:
to return only the records containing in any field one of the strings in the Error column and show the corresponding value from the Source column.
Is there a way ,such as | inputlookup errors.csv | foreach... | search ...?
Many thanks in advance,
Luc
Thank you for your prompt reply. This returns the search results. How do I return the Source column?
Hi luc_k,
it's possible to search for the full string yu have in the Ettor field.
In other words: you can search for "Some Errors occurred" but not for Some Errors occurred
try something like this
your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ]
| ...
In this way you search in full text search in all events.
Bye.
Giuseppe
To return the Source column - something like your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ] | lookup your_lookup.csv ...?
Hi luc_k,
it isn't so easy this last question because when you use query field in search you lose the pair field=value and you have to rebuid it,
you should try something like this:
your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ]
| rename _raw as rawText
| eval foo=[
| inputlookup your_lookup.csv
| eval query="%"+Error+"%"
| stats values(query) AS query
| eval query=mvjoin(query,",")
| fields query
| format "" "" "" "" "" ""
]
| eval foo=split(foo,",")
| mvexpand foo
| where like(rawText,foo)
| rex field=foo "\%(?<Error>[^\%]*)\%"
| ...
Bye.
Giuseppe
If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe