| inputlookup clusName.csv | fields cluster ----works in a dropdown and has around 10 entries
Now, I need to use the values in the cluster field to display rest of the information.
index = * sourcetype=***** eventtype=* | stats values(eventtype) as Eventtype values(source) as Source values(host) as Host by values[|inputlookup clusName.csv | fields cluster]
I get till Host details fine. But it doesn't work on the output of input lookup field. Is this possible to achieve?
| rex field=source "(\/\w+){2}\/(?<clus>[^\/]*)" | dedup clus | sort clus | table clus | outputlookup clusName.csv
sample source fields has below patterns
/field1/field2/field3/asdf/asdf
/tab1/tab2/tab3/asfda/asdf
Now trying to use the inputlookup values in search. The inputlookup works fine on dropdown.
This is not working though:index = sourcetype=xxxxx eventtype=* [|inputlookup clusName.csv | fields cluster] | stats values(eventtype) as Eventtype values(source) as Source values(host) as Host by cluster
You can not use fields unless you combine fields with Lookup or Join.
If the cluster field does not exist, you need to extract the field so please present the sample log.
Try putting your subsearch as part of your base search:
index = sourcetype= eventtype=* [|inputlookup clusName.csv | fields cluster] | stats values(eventtype) as Eventtype values(source) as Source values(host) as Host by cluster
No results are displayed. I do not have cluster field in the index but only in the lookup table. I can't even get to display output of inputlookup parsed into display as table along with other fields. Output column for cluster field is always empty. But let alone inputlookup works fine and it as well works in a dashboard too.
cluster field has the entries based on the "source" field. Using regex a part of string was stripped from the source field. What else could I try to get this going?
Can you try the following if the cluster
field is available in your lookup file as well as indexed data.
index = sourcetype= eventtype=* [|inputlookup clusName.csv | fields cluster]
| stats values(eventtype) as Eventtype values(source) as Source values(host) as Host by cluster