I have created a basic lookup table with 2 columns, "lookup1.csv"
Col1,Col2
12,bar
14,vix
15,yell
Within my index the values of Col1 are possibly present in 2 different fields (Field1,Field2). I would like to perform a lookup which would match values in Col1 to those in Field1 OR Field2
Example Report:
| table value(Field1), match found in lookup1.csv
If we get this far, then create an automatic lookup which creates an event when there is a match.
Thanks
Like this:
index="YourIndexHere" sourcetype="YourSourcetypeHere"
| lookup lookup1 Col1 AS Field1 OUTPUT Col2 AS Match1
| lookup lookup1 Col1 AS Field2 OUTPUT Col2 AS Match2
| search Match1="*" OR Match2="*"
| table Field1 Match1 Field2 Match2
This worked, thank you.
Try like this
your current search which includes Field1 and Field2
| eval matchField=split(Field1."##".Field2,"##")
| lookup lookup1.csv Col1 as matchField OUTPUT Col2 as matchedValue