Is there a way to use a lookup table to have a list of host, and use that list to only search logs for those hosts?
For exmaple, if I have a lookup table like this:
host,description
server1,Description of server1
server2,Description of server2
server3,Description of server3
Can I run a search that only searches server1/2/3, but would not look at server4/5/6?
Basically I'm trying to avoid having to specify host=server1 OR host=server2 OR host=server3 in each search.
Most definitely. Use a subsearch for this, it's pretty much exactly what it's for.
youroutersearch [| inputlookup yourlookuptable | fields host]
Most definitely. Use a subsearch for this, it's pretty much exactly what it's for.
youroutersearch [| inputlookup yourlookuptable | fields host]
Best thing is to add that as its own question, and we'll take it from there.
Perfect, this was even easier than I thought. I've got another related question. I'm trying to get a weighted ratio of errors per server. If I have a lookup table like this
host,percent
server1,33
server2,33
server3,33
How would I use the lookup table to multiply the errors on a per server basis?
Normally I'd do something like | chart count by host, but I want a weighted count based on that percent.