Hello!
Problem:
Take .csv lookup file and search through an index in order to identify a match, if ipaddress OR username match.
Sample lookup Data:
username, ipaddress, url, protocol, group, severity
tomj, 10.10.10.123, google.com, 80, badguy, 1
bobt, 10.10.10.124, google.com, 443, good, 2
sarat, 10.10.10.121, g.com, 80, good, 2
My query:
index=log_files | lookup table.csv ipaddress as src_ip, url as link OUTPUT group, severity
| table _Time, src_ip, group, severity
Result
I only get a result when both src_IP AND link from my index match the lookup. But, I want to know if either of these conditions match. For example, when ip 10.10.10.123 OR g.com is visited, I would expect to see group, severity for those two separate records.
How can I use OR logic in my lookup fields instead of AND?
Please let me know if I remain unclear in my request.
Thank you!
... View more