Solved: Only return results with field appearing in a look...

pjb2160 · ‎11-05-2014

Hello,

I'm looking to only return results for "ad_x" log entries which have an "event_code" listed in the "ad_event_codes.csv" lookup:

sourcetype="ad_x" event_code=[inputlookup ad_event_codes.csv | fields event_code]

I feel I'm close but can't quite get it to work. Any pointers?

Cheers.

kml_uvce · ‎11-05-2014

use this...

sourcetype="ad_x" [|inputlookup ad_event_codes.csv | fields event_code]

pjb2160 · ‎11-06-2014

Many thanks!

kml_uvce · ‎11-05-2014

use this...

sourcetype="ad_x" [|inputlookup ad_event_codes.csv | fields event_code]

Only return results with field appearing in a lookup