Hello woodcock, I don't get how that query would add a new "Location" column to my table
Thanks for your help

Come back and try it now.

I updated my answer; try it now.

Ciao Giuseppe !
Thank you very much for your help. To answer your question, "Hostname" is in my CSV and "host" in data source.
I tried to run your query and that works just fine, thank you.
Is it possible though to add a column with the location ? That would make it way more easy to use in Excel or in a dashboard

Hi romainbouajila,
if you have "Hostname" in CSV and "host" in search you have only to modify the lookup command

 index=* 
 | rex field=source "(?<file_path>.*\\\)" 
 | rex field=source "(?<file_path>.*\/)" 
 | lookup location_lookup.csv Hostname As host OUTPUT Location
 | eval host=host." (".Location.")"
 | chart count over file_path by host limit=0 
 | fields - source 

To divide again the host from the Location, you should try something like this:

 index=* 
 | rex field=source "(?<file_path>.*\\\)" 
 | rex field=source "(?<file_path>.*\/)" 
 | lookup location_lookup.csv Hostname As host OUTPUT Location
 | eval host=host." (".Location.")"
 | chart count over file_path by host limit=0 
 | rex field=host "^(?<hostname>[^\(]*)\((?<Location>.*)"
 | table hostname Location path*

Ciao.
Giuseppe

Hi Giuseppe,

I tried running the first query and then the one you submitted and I don't have the same results.
My query returns 148 different file_path and the other one returns only 31. Do you know where that could come from ?
Also I think I will rework the csv "by hand" and not include the 3rd rex that splits hostname and location, in order to save some resources

Hi romainbouajila,
if you can simplify your search it is surely an advantage even if I don't think that an extra rex weighs much on it.
In any case, to debug the results: remove the lines from the two searches one by one so as to see if and when you have the same number of results and if all the fields you use later are explained.

Ciao.
Giuseppe