Hi All,
I have a list of known application error strings which I wanted to count. I've created a csv file containing these error string named as knownErrorList.csv.
Sample Entries in knownErrorList.csv with headers
component,errorString
app,Error String 1
app,Error String 2
app,Error String 3
My problem is the lookup file is increasing and with the query below, I'm reaching the maxsearches. Is there any other way I can have the same result without using map command?
Query:
| append [ | inputlookup knownErrorList.csv | eval errorTag=errorString ] | map search="search index=app_index source=*/application.log $errorTag$ | eval errorTag=$errorTag$" | stats count by errorTag
Sample Output:
errorTag count
Error String 1 10000
Error String 2 5
Error String 3 3
... View more