I am pretty sure this involves lookups but here is what I am attempting.
I have a list of users in a CSV (users.csv) but it's about 70 names. I want to search a certain sourcetype for these names without having to finger bang them in one at a time. How do I do this? I feel like this is covered somewhere and I have RTFM already. Any assistance with an answer or at least a nudge in the right direction would be greatly appreciated!
AWESOME! Thanks so much!
you actually can do that quite easily (I had the same issue):
sourcetype=*yoursourcetype* [ | inputlookup users.csv | fields user]
This will expand to something like this:
sourcetype=*yoursourcetype* user=user1
sourcetype=*yoursourcetype* user=user2
Hope this helps!