I would like to be able to take the lookup table defined below and create searches from it.
dsearch.csv
index,source,sourcetype,eventtype
firewall,*,*,*
*,/var/log/syslog,syslog,*
netflow,*,bro,bro_smtp
I tried using inputlookup in a subsearch and passing it back, but doesn't work.
search [|inputlookup dsearch.csv | fields index,source,sourcetype,eventtype | format ]
which would return:
((index=firewall AND source=* AND sourcetype=* AND eventtype=*))
I realize I would probably need a map command to do multiple lines, but I can't get it to read work with just one line.
This would be really powerful in validating data is coming in by defined fields for each datasource (i.e, multiple hosts or log files...).
Any help would be appreciated.
Thanks,
Bob
... View more