Hi,
I have a query that uses this search to look for hosts that we need to validate:
|tstats count WHERE index=* AND [ |inputlookup testSVB2.csv |fields + host] groupby host, index, sourcetype
I'd like to expand this, so that it uses additional columns against the host field. I'd have an ip column, and a fqdn name column in the lookup, and then search, comparing those to the hosts field. I'm guessing that an "OR" statement is the best option, but I don't see any way to do that, in this scenario. Does anyone have a suggestion?
↧