I am working on a search that needs to reference two unique CSV sources which are ingested from a UF; let's call these sources foo.csv and bar.csv. The general idea is to create a table which reflects fields from both CSV files for a given event. I've got a handle on how to create a table using field values from the first CSV; my challenge is getting a field value from the second CSV, then adding it to the table.
NOTE: The naming of bar.csv is not static, so I can't use a wildcard. Each event in foo.csv is associated with a uniquely named bar.csv file.
Unfortunately, there are no common fields shared between the two CSV files. One of the fields in foo.csv ("StepResults") contains the absolute pathname of bar.csv (for example, "E:\data\bar.csv). And, within bar.csv lies the field ("message") that I want to include in my table. I'm trying to figure out a way to leverage the value from the "StepResults" field in the foo.csv source to define the "source" for another search, in order for me to grab the value from the "message" field in the bar.csv source.
So, something like this:
index=test_metrics sourcetype=metrics_csv source={StepResults value from subsearch} [search index=test_metrics sourcetype=metrics_csv source="*foo.csv*"] | table url, status, execution_time, message
(where "url", "status" and "execution_time" are from the foo.csv source, and "message" is from the bar.csv source identified in the "StepResults" field of foo.csv)
I'm happy to provide additional clarification if this seems a bit confusing. I appreciate any insight that can be shared!
↧