|inputlookup internal_ip.csv gives me list of all internal IP's. I need to exclude these IP's in my below search query:
index=test_web | rex field=targetfile "(/[^/]+){1}/(?P
You could do this:
index=test_web NOT [inputlookup internal_ip.csv | rename ip_field_from_lookup as clientip | fields clientip | dedup clientip] | ...
Different topic, the search seems convoluted in places...
Does that index only contain those two sourcetypes? If not, you should add sourcetype=access_combined OR sourcetype=owncloud
to the base search to boost performance.
You can incorporate both rename
calls into the lookup
by using the as
keyword.
You can also replace if(isnull(A),B,A)
by coalesce(A,B)
- this takes more than two fields as well, in case you have huge if(isnull(),,)
-trees.
You could do this:
index=test_web NOT [inputlookup internal_ip.csv | rename ip_field_from_lookup as clientip | fields clientip | dedup clientip] | ...
Different topic, the search seems convoluted in places...
Does that index only contain those two sourcetypes? If not, you should add sourcetype=access_combined OR sourcetype=owncloud
to the base search to boost performance.
You can incorporate both rename
calls into the lookup
by using the as
keyword.
You can also replace if(isnull(A),B,A)
by coalesce(A,B)
- this takes more than two fields as well, in case you have huge if(isnull(),,)
-trees.
Great, don't forget to mark this as solved.
Thanks a bunch.