I'd like to search our log for multiple possible errors from our lookup file:
to return only the records containing in any field one of the strings in the Error column and show the corresponding value from the Source column.
Is there a way ,such as | inputlookup errors.csv | foreach... | search ...?
Many thanks in advance,
it's possible to search for the full string yu have in the Ettor field.
In other words: you can search for "Some Errors occurred" but not for Some Errors occurred
try something like this
your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ] | ...
In this way you search in full text search in all events.
To return the Source column - something like yoursearch [ | inputlookup yourlookup.csv | rename Error AS quesry | fields query ] | lookup your_lookup.csv ...?
it isn't so easy this last question because when you use query field in search you lose the pair field=value and you have to rebuid it,
you should try something like this:
your_search [ | inputlookup your_lookup.csv | rename Error AS quesry | fields query ] | rename _raw as rawText | eval foo=[ | inputlookup your_lookup.csv | eval query="%"+Error+"%" | stats values(query) AS query | eval query=mvjoin(query,",") | fields query | format "" "" "" "" "" "" ] | eval foo=split(foo,",") | mvexpand foo | where like(rawText,foo) | rex field=foo "\%(?<Error>[^\%]*)\%" | ...