Hi
I'm wondering if it's possible to define and execute a macro from a lookup. I have an index with several (about 50) user actions, which aren't named in a user friendly manner. Additionally, each action has different fields, which I'd like to extract using inline rex queries. In short, I'd like a table with the following:
| Time | UserName | Message |
| 10:00 a.m. | JohnDoe | This is action1. Details for action1. |
| 10:01 a.m. | JohnDoe | This is action2. Details for action2. |
| 10:02 a.m. | JohnDoe | This is action3. Details for action3. |
I know can define a friendly name for the action using a lookup. I can also do the rex field extractions and compose a details field using a macro for each action. However, is there a way to also rex the fields and define the details in a lookup?
I was thinking of creating a lookup like this:
| Action | FriendlyDescription | MacroDefinition |
| action1 | "This is action1" | | rex to extract fields for action1 | eval for Details for action1 |
| action2 | "This is action2" | | rex to extract fields for action2 | eval for Details for action2 |
| action3 | "This is action3" | | rex to extract fields for action3 | eval for Details for action3 |
I was thinking about something like this:
index=MyIndex source=MySource
| lookup MyLookup.csv ActionId OUTPUT FriendlyDescription, MacroDefinition
`code to execute MacroDefinition`
|table _time, UserName, FriendlyDescription, Details for action
I'm not sure if i'm barking up the wrong tree, but the reason I'd like to do this in one place (a lookup) instead of 50 different macro definitions. It'd be neat to have all the code in one place.
Thanks!
