Hi @bpenny You should be able to do a simple lookup for this, something like this: | lookup typesEnrich.csv type AS msg.message_set{}.type OUTPUT typeDescription To demonstrate this I've creat...
See more...
Hi @bpenny You should be able to do a simple lookup for this, something like this: | lookup typesEnrich.csv type AS msg.message_set{}.type OUTPUT typeDescription To demonstrate this I've created a sample lookup file: | makeresults count=1
| eval type=1, typeDescription="Type A"
| append [ | makeresults count=1 | eval type=2, typeDescription="Type B" ]
| append [ | makeresults count=1 | eval type=3, typeDescription="Type C" ]
| append [ | makeresults count=1 | eval type=4, typeDescription="Type D" ]
| append [ | makeresults count=1 | eval type=5, typeDescription="Type E" ]
| append [ | makeresults count=1 | eval type=6, typeDescription="Type F" ]
| table type typeDescription
| outputlookup typesEnrich.csv Then using some sample data we can emulate your use-case (hopefully!) | makeresults
| eval json_data = "{\"msg\":{\"message_set\": [{\"type\": 1}, {\"type\": 2}, {\"type\": 4}]}}"
| eval _raw=json_extract(json_data,"")
| table _raw
| spath input=_raw
| lookup typesEnrich.csv type AS msg.message_set{}.type OUTPUT typeDescription Which gives the following: Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing