Hi guys,
I'm using a lookup file matching on decades values field.
My goal is to make a chart with 5 columns, 4 with the main values and 1 with all the others aggregated together.
Here's the lookup file
N_vendor,vendor
java,java
adobe,adobe
microsoft,microsoft
mozilla,mozilla
*,Others
Here's the transforms.conf
[vendor_bis]
filename = vendor_bis.csv
min_matches = 1
default_match = Others
case_sensitive_match = false
match_type = WILDCARD(N_vendor)
The 4 first columns in my lookup file appears on the chart but not the last using a wildcard to make match the rest as "Others".
Did i'm missing something ?
Thanks.
I wonder if the default match should not the be "*" ?
if this doesn't' work, you always can can use the fillnull command in the search
< mysearch > | < mylookup > | fillnull vendor value="Others" | stats count by vendor
I wonder if the default match should not the be "*" ?
if this doesn't' work, you always can can use the fillnull command in the search
< mysearch > | < mylookup > | fillnull vendor value="Others" | stats count by vendor
Remark, if the field "N_vendor" do not exists in the original events, then the lookup will never return any values, and you have to use the "fillnull method"
If the field N_vendor exists, then you can use this type of default lookup result.
N_vendor,vendor
java,java
adobe,adobe
microsoft,microsoft
mozilla,mozilla
default,Others
- transforms.conf with
[vendor_bis]
filename = vendor_bis.csv
min_matches = 1
default_match = default
case_sensitive_match = false
match_type = WILDCARD(N_vendor)
Well the fillnul function worked, not the transforms.conf modification.
Thanks for help yannK !