Hi All,
I've been trying to build on an existing search I've got working and find myself going around in circles and hoping for some collective experience to get to the answer.
The successful search is
source="file.log" [| inputlookup domain.csv | rename HostAddress as query| fields + query ]
File.log contains the source field I'm using "query" and domain.csv is a lookup I've defined. This pulls out just the records in file.log that match on HostAddress in domain.csv. Perfect.
Where I'm pulling my hair out is that I want to pull a second column out of domain.csv and add that to the search result. Let's call the second column "test-result". I've read lots of articles about Lookup definitions and Automatic lookups, but these dont seem to work when I've using the inputlookup to make a subset of records. For example, my file.log file has many hundreds of thousands of lines, but I only want the six lines that have a match to domain.csv and I want a second column from domain.csv to be returned.
Thanks
... View more