Hi,
I was given a request to use csv lists (i.e. lookups) with keyword values to find USB writes in an index where a field name of "file-name" is file info written to usb. The file-name values are not consistent and most often the value returns as a file path, like "D:/Downloads/foo/bar/foo-bar.txt" or something like that. So file-name is actually a file path.
I was asked to use a csv supplied to me as lookup criteria, like this...
keyword.csv is the lookup name
keyword keyword-ID
*red* 34948-kjas
*green* 89050-kjec
*blue* 89008-nkme
the column header fields are "keyword" (which is a wildcard string) and "keyword-ID" (which is a rando ID)
I wrote a query like this...
index=foo sourcetype=bar [|inputlookup keyword.csv |fields keyword | rename keyword as file-name] |stats count by file-name
and I get the counts of each unique file-name which is what I thought the requestor wanted but that is not the case.
They want to know the count by keyword, like red = 5 green = 1 and blue =3 etc...
So I am stuck getting the results from my query piped back into a lookup to count by the key words...
I am not sure how I get this done. I was advised in slack to use wildcard matching to reverse the lookup but I could not get it to work.
index=foo sourcetype=bar [|inputlookup keyword.csv |fields keyword | rename keyword as file-name] | >>>> ?
Any advice appreciated!!
↧
