I appended a CSV to an index, and right now my results pop up as the 100 lines of CSV, and then 30K of the index.
What I would like is to only return IF the values in the fw field from the index MATCH a value in the 100 lines of the CSV firewall_rule field... thoughts? I have a match in there currently but it's showing no similarities (even though I manually checked, there are many).
| from inputlookup:"firewall-exception-prod.csv"
| append [ search index=gcp_firewall]
| rename data.jsonPayload.rule_details.reference as FW
| search FW = "network:prod*" OR firewall_rule=*
| rex field=FW "network:prod-corp/firewall:(?.*)"
| eval result=if(match(fw, firewall_rule),"yes", "no")
| table firewall_rule fw result
Do you know what I'm missing? Thank you!!!
... View more