hahah and I was just thinking we are getting there...
So I went through events and can confirm that I have one event per .csv line. I don't see any additional information injected in the events, other than "," in the fields that are empty (in the .csv file).
My search first pulls in some data and does filtering and then:
| rename Letter as Y_Field
| table A_Field, B_Field, Y_Field
| join type=left Y_Field
[ search earliest=-24h host="AAA" index="BBB" sourcetype="CCC"
| eval dateFile=strftime(now(), "%Y-%m-%d")
| where like(source,"%".dateFile."%XXX.csv")
| rename "Target Number" as Y_Field
| eval Y_Field=lower(Y_Field)
| fields Y_Field, Field, "Field 2", "Field 3"]
| table A_Field, B_Field, Y_Field, Field, "Field 2", "Field 3"
I also wonder if the issue might be with the common field for both the search and the events information, as I have to rename it to match. I tested with renaming the field in the search, tested with renaming the filed in the data pulled from the index and tested by renaming both to something different - but no luck.
As I mentioned earlier the data in index is injected daily, so the search looks for the latest csv.
When I run this search, I get results for A_Field, B_Field, and Y_Field, but Field, "Field 2" and "Field 3" are empty.
... View more