I need help with a very basic search concept. I need a way to suppress search results if a certain condition is met. I have a CSV file (file.csv)
Maint
YES
I need the exact search that would follow this basic logic...
index=* (whatever the search) look at file.csv If Maint="YES" ensure search returns nothing, otherwise return as normal
Please provide actual working search (I have tried many ways and I am sure I am missing something small, I am not familiar enough with the searches to fix minor issues)
@jmoeller,
Here is what I tried and working
Lookups » Lookup table files
Lookups » Lookup definitions » maint
Executed below search and gives me the result
index=_internal|stats count by sourcetype
| appendcols [| inputlookup maint]
| filldown Maint
And below no result
index=_internal|stats count by sourcetype
| appendcols [| inputlookup maint]
| filldown Maint
| where Maint!="Yes"
Try if this works for your environment
@jmoeller,
Here is what I tried and working
Lookups » Lookup table files
Lookups » Lookup definitions » maint
Executed below search and gives me the result
index=_internal|stats count by sourcetype
| appendcols [| inputlookup maint]
| filldown Maint
And below no result
index=_internal|stats count by sourcetype
| appendcols [| inputlookup maint]
| filldown Maint
| where Maint!="Yes"
Try if this works for your environment
Thank you! It is working and I will mark it as answered because it does exactly what I asked. However, my oversimplification has created a new "problem". My csv actually has additional columns. When I run your suggestion, I get the results of the original query but I also get the additional columns from my csv (to the right of the results). You would not have seen that because you followed my question, this is my fault. If you add an additional column to your cvs, you should see the same. Are you aware of an easy way to remove the extra columns?
Thanks again,
Jonathan
Actually, I spoke too soon. It works with a query involving statistics but if you remove "| stats count by sourcetype", you receive and error "Error in appendcols' command.
Hi Jonathan(@jmoeller),
No worries,you could use append also. I now have three columns in the csv and just selected Maint by using fields
. Try this and let me know if it works for you as well.
index=_internal|append [| inputlookup Maint|fields Maint]|reverse|filldown Maint|reverse|where Maint!="Yes"
Thanks again. It is working but there is still a minor issue. When I use the search above, it "appends" a blank event at the bottom of the list. Since we are using this for alerting, a simplified search would be...
EventCode=1000
The alert would trigger if there is a record returned, thus the issue.
You should see it if you just modify your example to and index that doesn't exist. You should see a singe event returned rather than zero.
Thanks, again for all of your help. If we can get rid of the extra event, I am golden.
Hi Jonathan(@jmoeller),
Thanks for highlighting it. You could just filter it out by adding |where _raw!=""
at the end of the search. Its purely depends on your search results. If you have just events returned , then above should work and if you have some fields displayed , for e.g. table field1,field2 then you could add the condition based on the field also. Let me know how it goes.
Thanks!