Hi,
Strange behavior with Automatic lookup (same with manual lookup).
I have csv file that contains codes, example:
1 - LOGIN
2 - FAILURE
11 - CERTIFICATE
12 - SOMETHING
...
I have lookup
LOOKUP-event_code_action_lookup = event_code_action_lookup event_code AS EventCode OUTPUT event_code_action AS EventCodeAction
when I got results I have multiple EventCodeAction statistics, basically. Events x2 EventCodeAction count?
Why did I doubled EventCodeAction in results?
Original data is json that is parsed
INDEXED_EXTRACTIONS = json
KV_MODE = json
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = 0
TIMESTAMP_FIELDS = @timestamp
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%Q
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
pulldown_type = 1
Also, is it possible to add EventCodeAction in "original json" as field, so it's not only visible on the left sides where the fields are?
It was my mistake
INDEXED_EXTRACTIONS = json
KV_MODE = json
should be
INDEXED_EXTRACTIONS = json
KV_MODE = none
after that. all works fine
And I put in transform.conf
filename = event_code_actions.csv
max_matches = 1
It was my mistake
INDEXED_EXTRACTIONS = json
KV_MODE = json
should be
INDEXED_EXTRACTIONS = json
KV_MODE = none
after that. all works fine