I use the following search for proxy logs
index=proxy src="10.10.10.10" | table _time,src, action, dest, status | dedup src,action, dest, status
For one src this is fine but I have to do a table like this for 100 different sources. Is there a way I can do this without putting src="10.10.10.10" OR src="192.168.1.1" and so on and so on.
Thanks
You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.
Lookup table: proxy_sources.csv (first line header)
src
10.10.10.10
192.168.1.1
..other
values...
New searching using above lookup
index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status
You can put all 100 difference sources in a lookup table and use a subsearch to retrieve the sources dynamically into your search.
Lookup table: proxy_sources.csv (first line header)
src
10.10.10.10
192.168.1.1
..other
values...
New searching using above lookup
index=proxy [| inputlookup proxy_lookup.csv | table src ] | table _time,src, action, dest, status | dedup src,action, dest, status