We are collecting log files from various components servers.
Eg. Collecting logs from 3 hosts application A [ This is the lookup I have used]
Host1 /app/sdf ; /app/cdf ; /app/ghf
Host2 /app/sdf ; /app/cdf ; /app/ghf
Host3 /app/sdf ; /app/cdf ; /app/ghf ; /app/wer/* [ie. /app/wer/1.log,/app/wer/2.log, /app/wer/2.log, so on]
For unique logs I have no problem I got the query through this,
index=* appid=$appid$ host=$host$ |rename comment as $earliest$ | stats count by host,source | eval type="current" | table host,source,type | append [|inputlookup source.csv | search appid=$appid$ | search host=$host$ | makemv delim=";" source | eval type="existing" | table appid,host,source,type] | stats values(type) as type by host,source | where mvcount(type) =1 | eval reason=if(type="current","Newlogfile","Missingfile") | table host,reason | search reason="Missingfile"
I am having two dropdowns for inputs appid and host. It goes fine while dealing with unique files
i.e For (/app/sdf ; /app/cdf ; /app/ghf ) it matches correctly and return the results.
But for logs using wildcard, Im confused 😞 [/app/wer/]
How to match (/app/wer/) with lookup values?
Kindly suggest some solutions
... View more