Technically you can work with regexes defined in lookups by doing something like this | eval enabled=1
| lookup regex_list.csv enabled OUTPUT regex
| eval match=mvmap(regex, if(match(path, regex), r...
See more...
Technically you can work with regexes defined in lookups by doing something like this | eval enabled=1
| lookup regex_list.csv enabled OUTPUT regex
| eval match=mvmap(regex, if(match(path, regex), regex, null())) where your csv contains 2 columns, the regex and a column called enabled with a value of 1. This will pull ALL regexes into each event and then using mvmap will map the path against each of the regexes individually - for each match it will add the matching regex to the match field. After the mvmap, you will have a potentially multivalue field 'match' with one or more matches. If match is null, then there were no matches, so | where isnotnull(match) will filter out non matching paths. This is not using a lookup as a lookup, but simply using the lookup as a repository of matches which you "load" to each event during the pipeline. Depending on how many regexes you have it may be an option or not.