Did not work, the column whitelist was empty for everything. Maybe my demo data was not good enough and did not reflect my actual data precisely, here is a better demo data and better explanation of the issue. Consider whitelist_foo.csv as an inputlookup with the following data: "_time","common_name",description,"issuer_name","requester"
"2021-01-01T00:00:00.000+0000","*.alpha.examplecloud.com","Free text, can be anything.","C=US, O=Amazon, OU=*, CN=Amazon","John"
"2021-01-01T00:00:00.000+0000","partner.example.com","Free text, can be anything.","C=US, O=Let's Encrypt, CN=R3","Mary"
"2021-01-01T00:00:00.000+0000","dev.example.io","Free text, can be anything.","C=US, O=Let's Encrypt, CN=R3","Bob"
"2021-01-01T00:00:00.000+0000","*.dev.example.io","Free text, can be anything.","C=US, O=Amazon, OU=*, CN=Amazon","Victor"
"2021-01-01T00:00:00.000+0000","status.example.com","Free text, can be anything.","C=US, O=Let's Encrypt, CN=R3","Alice" Take note that common_name and issuer_name can have wildcard (*) and those should be taken into consideration in the dashboard query, just like I have it today. Currently, the table in my dashboard is created using this query: index=foo NOT
[| inputlookup whitelist_foo.csv
| table common_name, issuer_name]
| eval _time=strptime(entry_timestamp, "%FT%T.%3N")
| table entry_timestamp, not_before, not_after, common_name, issuer_name, serial_number
| sort -entry_timestamp What this query does is hide all domains included in the whitelist (be it a precise match or a wildcard match). If, for example, in the last few days the certificates below were issued, we would have the following behaviour: bar.dev.example.io (not shown, because match wildcard) dev.example.io (not shown, because precise match) abc.example.com (shown, because no match) xyz.partner.example.com (shown, because no match) example.com (shown, because no match) example.io (shown, because no match) examplecloud.com (shown, because no match) lipsum.status.example.com (shown, because I did not whitelist *.status.example.com) alpha.examplecloud.com (shown, because I only whitelist *.alpha.examplecloud.com) dev.example.io issued by CA ShaddyCo (shown, because did not match the CA in the whitelist) Hope this give you a better idea of the issue.
... View more