hello
I need to transform the search below because now the fields of tutu.csv and toto.csv are in the index "tata"
So I want to do a identical search based on the fields in the index "tata"
It means that the field "flag" which is actually in tutu.csv and the field "SITE" which is actually in "titi.csv" are now in the index "tata"
could you help me to match the fields SITE and flag of my new index with the host list there is in host.csv?
| inputlookup host.csv
| lookup tutu.csv "Computer" as host
| lookup titi.csv HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| stats count by flag
| stats sum(count) as NbNonCompliantPatchesIndHost
| appendcols
[| inputlookup host.csv
| lookup titi.csv HOSTNAME as host output SITE
| search SITE=$tok_filtersite|s$
| stats count(host) as NbIndHost]
| eval Perc=round((NbNonCompliantPatchesIndHost/NbIndHost)*100,2)
| table Perc, NbIndHost
For example, for the first part of the search (before appendcols), I try to do something like this but I doesnt know how to do the "stats count by flag" because in my index I have many differents events for one host while I have just one flag by host in the csv file
index=tata sourcetype="test"
| rename HOSTNAME as host
| lookup host.csv host as host output host
| search SITE=$tok_filtersite|s$
| stats XXXXXXXX
Thanks
↧