Congratulations for heeding @PickleRick's advice and repost your search in text. Now, let me try to understand this use case. You are trying to use a lookup file to generate SPL code for some other...
See more...
Congratulations for heeding @PickleRick's advice and repost your search in text. Now, let me try to understand this use case. You are trying to use a lookup file to generate SPL code for some other purpose. For that generated code, you wish to use multisearch. But that multisearch has nothing to do with the question itself. Is this accurate? Then, you want use the returned values from inputlookup as regex to match an indexed field named Web.url in a tstats command. Is this correct? Documentation on tstats will tell you that the where clause of this command can only accept filters applicable in search command; in fact, only a fraction of these filters. In other words, you cannot use those regex directly in tstats command. This is not to say that your search goal cannot be achieved. You just need to restructure the subsearches so you can use the where command instead of where clause in tstats. But let me first point out that your text illustration of the search not only does not match your screenshot, but also is wrong because url_regex is no longer used in the field filter, therefore no longer used in formulation of the search field. You cannot possibly get the output as your screenshot show. There is another "transcription" error in the last eval command as well because the syntax is incorrect. Correcting for those errors and simplifying the commands, here is something you can adapt: | inputlookup my_lookup_file where Justification="Lookup Instructions"
| eval search = "[| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype=\"mysourcetype\" by Web.url Web.user | where match(Web.url, \"" . url_regex . "\")]"
| stats values(search) as search
| eval search = "| multisearch " . mvjoin(search, "
") Suppose your my_lookup_file contains the following entries (ignoring description field as it is not being used; also ignore fillnull because "*" is not a useful regex to match any URL.) url_regex regex [re]gex ^regex regex$ the above search will give you search | multisearch [| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype="mysourcetype" by Web.url Web.user | where match(Web.url, "[re]gex")] [| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype="mysourcetype" by Web.url Web.user | where match(Web.url, "^regex")] [| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype="mysourcetype" by Web.url Web.user | where match(Web.url, "regex")] [| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype="mysourcetype" by Web.url Web.user | where match(Web.url, "regex$")] Is this what you are looking for? Here is full emulation to get the above input and output: | makeresults format=csv data="url_regex
regex
[re]gex
^regex
regex$"
``` the above emulates
| inputlookup my_lookup_file where Justification="Lookup Instructions"
```
| eval search = "[| tstats `summariesonly` prestats=true count from datamodel=Web where sourcetype=\"mysourcetype\" by Web.url Web.user | where match(Web.url, \"" . url_regex . "\")]"
| stats values(search) as search
| eval search = "| multisearch " . mvjoin(search, "
") Play with it and compare with your real lookup.