Hi all,

i have a established query which is working fine. But when i try to add the inputlookup to the query, its not working. i am using a federated search. 

My need is to configure a maintenance table as a csv lookup  and refer to it in the query. 

when i try to access the csv file via inputlookup, i get error. 

can you please suggest is there a way to configure maintenance for a particular backend via lookup table and refer to it in the query. i want to exclude the backend host for a particular date and time. 

Query below:

index="federated:XXX"  ("HTTP response code" OR "url-open" OR "Host connection failed")  NOT "HTTP response code 2**" | rex field=_raw "https://(?<backend>.*)\:" | rex field=_raw "gtid\(\w{1,24}\): (?<error>.*)"|
rex field=_raw "^<\d+>(?P<date>\d+\-\d+\-\d+\w+:\d+:\d+\.\d+)[^ \n]* (?P<host>\w+)\s+\[(?P<domain>[^\]]+)" | eval thresholdValue = case(backend=="******" AND domain=="*****", 500, backend=="abcd.com" AND domain!="abcd-ALERTS", 350, backend=="ertyu.com" AND domain=="ertyu", 1000, backend!="qwerty.com", 100) | stats count by domain,backend,error,source,thresholdValue | sort -count | where count>thresholdValue | eval Priority=if(count>200,"3","4") | eval createINCTicket="0" | table domain,backend,error,source,thresholdValue,Priority,count,createINCTicket | lookup incsearch DOMAIN AS domain URL AS backend OUTPUT APPCODE AS BackendAppcode CREATETICKET AS CT INCIDENT AS incident

Maintenance csv lookup