I have an xls input lookup, I'm trying to find members in inputlook in my source type.
Thanks
eg file - with attributes -pkID
source type has pkID and attributes,
I want attributes for those pkID in lookup file.
What would be the query ?
index= sourcetype = attr1 attr2 |lookup from PkID in lookupfile? ??/ How do I make this query ????
Try this
index=foo sourcetype=bar [| inputlookup lookupfilename.csv | fields PkID] | rest of your search
This should return only events from your index=foo where PkID is in lookupfilename.csv