Im trying to correlate info based on a lookup file and no matter how I try, I cant make it work.
I have a csv with values like:
host,country
host1*,country1
host2*,country1
host3*,country2
etc
Im running a search that outputs hosts using a regex:
... | rex field=field1 //Simplified, extracts host from text
| [|inputlookup csvfile.csv ]
| bucket _time span=30d
| stats list(host), list(country) by _time
This search of course does not work.
I want to match the **host** field of the csv with the rexed host from the search and get the country the host is in in a list along with the actual host.
I've tried numerous ways but cannot get it to work. Some help would be greatly appreciated. How do I make sure to match the rexed host with a host* value in the csv?
↧