I've got a lookup table that consists of two columns; "Description" and "PCRE". What I'm looking to do is search my proxy data and, if the regex from the PCRE column matches the _raw data, add the corresponding value of the "Description" column to the results. The CSV contains over 200 regular expressions and is formatted something like this:
Description, PCRE
D1, http:\/\/[^\abc]$
D2, http:\/\/[^\xyz]$
D3, http:\/\/[^\123]$
I'm using the following search which will provide all hits, but I can't seem to figure out how to add in the Description field from the lookup:
index=proxy
| fields _time user action src dest_ip dest bytes_out bytes_in uri_path http_referrer
| regex [| inputlookup pcre_list
| rename "PCRE" as search
| fields search
| format
| table search]
|stats count by src dest
↧