Hi,
Im trying to output another column from a lookup table i have created named "threatlist.csv". The problem im having is outputting the second field named "Threattype".
| search [| inputlookup threatlist.csv | eval Sanitised=replace(Sanitised, "[.]", ".") | table Sanitised | lookup threatlist.csv Sanitised as url OUTPUT "Threattype" | rename Sanitised as query] |
The mvappned doesnt want to extract the 2nd field from the lookup.
eval query=mvappend(Sanitised, someOtherFieldHere)
You should have told us your real search from the start, which you say is this:
Index= * | search [| inputlookup threatlist.csv | eval Sanitised=replace(Sanitised, "[.]", ".") | table Sanitised | rename Sanitised as query | format]
And you should have told us your real problem, too. When you add a second search, your format
command shows you that you switch from all ORs
to a mix of ANDs
and ORs
. To avoid this, try this:
Index= * | search [| inputlookup threatlist.csv | eval Sanitised=replace(Sanitised, "[.]", ".") | table Sanitised | eval query=mvappend(Sanitised, someOtherFieldHere) | table query | mvexpand query| format]
Thanks,
The mvappned doesnt want to extract the 2nd field from the lookup 😞
eval query=mvappend(Sanitised, someOtherFieldHere)
I have the impression that you have a misunderstanding on how lookups and mvappend works - maybe it helps if you re-read that part of the docs to make sure your expectations match.
Thanks, I'm getting results against the "Sanitised" field in the lookup table but for some reason the query does not want to output the second field from the lookup. Any ideas?
data is present in the lookup table for the second field . When the search completes just the second filed column is empty.
There is no extraction
happening. Either the field is in the lookup file and has values or not. If so, then my solution will work. If not, then it will not and you need to repair the lookup file.
Could you add a screenshot or some examples of what you're getting now and how you would like it to look like?
This is working for me at the minute but the search is unable to output a second field from the same "threatlist.csv" lookup file. The lookup table contains two fields "Sanitised" which is the bad IP in a sanitised format and "Threattype" which holds the treat name.
Index= * | search [| inputlookup threatlist.csv | eval Sanitised=replace(Sanitised, "[.]", ".") | table Sanitised | rename Sanitised as query | format] | table _time, Threattype, Sanitised ......................
Can you confirm whether what you want to achieve is this:
For being able to do a lookup of the threat type after searching for the events that match the bad IP list, you'd need to have that IP address in a field in your search results.
Are you applying this to some specific data, where you actually know that the IP address ends up in a specific field (or a few potential fields)?