I've got a KeywordList.csv lookup table with 3 columns (URI, URI_Keyword, URI_KeywordType). URI is a pre-existing field in our log data, while URI_Keyword and URI_KeywordType are new fields that I'd like to enrich our events with. I've created a file based lookup (KeywordList) definition that is used in the same app context & permissions as the KeywordList.csv.
What I'm trying to do is search our URI field with the keywords from the URI field in the lookup table, and then output corresponding URI_Keyword and URI_KeywordType field data for those events.
My script below brings back a table that has blank URI_Keyword and URI_KeywordType fields.
index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUTNEW URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI
When removing he "| fields URI" piece from the subsearch, I get no results.
What am I doing wrong?
You are misunderstanding what this portion does:
... [|inputlookup KeywordList.csv | fields URI] ...
Try typing this into your search bar:
| inputlookup KeywordList.csv | fields URI | format
Then try it without | fields URL
like this:
| inputlookup KeywordList.csv | format
Now you should understand that the first part of your search should probably be this (which does the same thing that you have, but more clearly and efficiently):
index=tmg [|inputlookup KeywordList.csv | fields URI] | ...
And you should be able to take it from there (I am not sure what your end-game is).
try if one of these works for you:
index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI OUTPUT URI_Keyword, URI_KeywordType | table URI_Keyword, URI_KeywordType, URI
index=tmg | search [|inputlookup KeywordList.csv | fields URI] | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI
index=tmg | lookup KeywordList URI | table URI_Keyword, URI_KeywordType, URI
Sorry I wrote a longer answer, but lost everything because of my browser, so this short answer is all you get from me at the moment.
Thanks for the input. None of the modified scripts work. They all output blank URI_Keyword and URI_KeywordType fields.