Is there a way i can have a search look at a lookup that has predefined search queries in each row and then run a search across those search queries?
Here's the Lookup:
testLOOKUP
testcolumn
index=test1 test search content1
index=test1 test search content2
index=test1 test search content3
Here's the search:
search [|inputlookup testLOOKUP | table testcolumn] | stats count by host
Would this roll through content1, content2, content3 and then provide results?
"Rolling through" as in do one search per row? That'd be the map
command:
| inputlookup testLOOKUP | map [search $testcolumn$] | stats count by host
That's not going to be fast, it'd be much faster to run this for your example:
index=text1 (test search content1) OR (test search content2) OR (test search content3) | stats count by host
This could be achieved by running this:
[inputlookup testLOOKUP | rename testcolumn as query | fields query] | stats count by host
Note, this assumes there is no piped commands in the lookup, only filters.
"Rolling through" as in do one search per row? That'd be the map
command:
| inputlookup testLOOKUP | map [search $testcolumn$] | stats count by host
That's not going to be fast, it'd be much faster to run this for your example:
index=text1 (test search content1) OR (test search content2) OR (test search content3) | stats count by host
This could be achieved by running this:
[inputlookup testLOOKUP | rename testcolumn as query | fields query] | stats count by host
Note, this assumes there is no piped commands in the lookup, only filters.
Not really, there just can't be any pipes involved.
in the lookup column, would there be any restriction on how i have the query formatted?
Currently, the queries would look like this in the testcolumn
index="testindex" app="testapp" "search content"