I am wanting to use a lookup file to drive search for an alert. This seems a bit unique as I am not wanting to use event data from results to drive the lookup, but rather have all the lookup entries dynamically added to the search itself. Below is the example use-case: CSV file example: Index, ErrorKey "index1","Error string 1" "index1","Error string 2" "index2","Error string 3" Looking to use it to scale a search like this: index=index1 OR index=index 2 ("Error string 1" OR "Error string 2" OR "Error string 3") Basically the index/error string combo could be managed in the csv file as opposed to the alert search itself. Making it easier to add/scale/maintain the search criteria. Is this possible?
... View more