I have a set of fields like Servername, type, Country, desc,_time. These fields have been indexed and I already have a dashboard in place displaying these fields.
I now have additional info, which is the location details in a CSV along with Server name. I have uploaded this and I can access this CSV using the command:
| inputlookup location_table_v2.csv
to my existing dashboard which displays Servername, type, Country, desc,_time. I want to add the location details as well. The location detail CSV as well as the indexed data has a common field that is Server name. So I can match the fields in CSV and indexed data using the server name field.
I want my final output to display Servername, type, Country, desc,_time, location_name.
I am using a subsearch for this purpose, but I am not get all the fields in the output. Also, it displays all the rows in the CSV, while it should be restricted to the just the server names shown in my dashboard now.
| index="logs" | eval country_code=substr(server_name,3,3) | append [inputcsv location_table.csv | rename "Host names" as host_name , "Location Information" as Location_Information | eval country_code= substr(host_name, 5,3) ] | stats values(Location_Information) as Location_Information by country_code
I have been trying to get the desired result for a while, but I just get one step closer.
... View more