There are a few possibilities here. I'll outline some sample data to describe the various options. Let's say your lookup table abc.csv contains the following:
A, B, C
1, 1, 1
2, 2, 3
36, 7, 9
One possibility is that you want to find events in index=main that match this:
(A=1 AND B=1 AND C=1) OR (A=2 AND B=2 AND C=3) OR (A=36 AND B=7 AND C=9)
If so, the code you suggested should work. And you could make it even more efficient by adjusting it like this:
index=main [|inputlookup abc.csv | fields A,B,C] | stats count by A,B,C
Another possibility is that you want to find events in index=main that match this:
A=1 OR B=1 OR C=1 OR A=2 OR B=2 OR C=3 OR A=36 OR B=7 OR C=9
If so, this would get you there:
index=main [|inputlookup abc.csv | fields A, B, C | format "" "" "OR" "" "OR" "" ] |stats count by A,B,C
And if you actually wanted to look for all events in index=main that contain the values from A,B,C but may appear anywhere in the events (not necessarily in structured extracted fields), you'd be matching on this:
(1 OR 2 OR 3 OR 36 OR 7 OR 9)
In that case, you could do this:
index=main [|inputlookup abc.csv | eval search=mvappend(A,B,C) | stats values(search) AS search | format ] | stats count by A,B,C
... View more