Hello All,
I'm having a task to measure the compliancy of Security solution onboarded on the SIEM, that means i have to regularly check if the solution is onboarded by checking if there is any logs generating in a specific index,
For Example my search query will be :
index=EDR
| stats count
| eval status=if((count > "0"),"Compliant","Not Compliant")
| fields -count
Results that i should have:
status
Compliant
I have a lookup table called compliance.csv and i need to update the status from "Not Compliant" to "Compliant".
Solution
Status
EDR
Not Compliant
DLP
Not Compliant
how can i utilize outputlookup command to update the table not overwrite or append.
... View more