![]() ![]() Maybe my demo data was not good enough and did not reflect my actual data precisely, here is a better demo data and better explanation of the issue.Ĭonsider whitelist_foo.csv as an inputlookup with the following data: "_time","common_name",description,"issuer_name","requester" If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.ĭid not work, the column whitelist was empty for everything. ") | mvexpand raw | rename raw as _raw | extract | table domain serial desc |ī"| multikv forceheader=1 | table domain | eval domain=replace(domain,"\*","%") | stats delim="," values(domain) as domain_1] | eval domain_1=split(domain_1,",") | mvexpand domain_1 ![]() My Sample Search : | makeresults | eval raw="domain= serial=123 desc=whatever1|ĭomain= serial=456 desc=whatever2|ĭomain= serial=789 desc=whatever3|ĭomain= serial=098 desc=whatever4|ĭomain= serial=765 desc=whatever5" | eval raw=split(raw,"| | eval domain_1=split(domain_1,",") | mvexpand domain_1 How can I overcome you please try this? index=foo | fields domain serial desc | fields domain, serial, desc, whitelist]įrom what I understood, the join left interprets the asterisk as a string, not as a wildcard. On the other hand, appear with YES in the whitelist column, because it does not have any wildcard in the whitelist. For example, all domains *. (in my example, and ) should have the column whitelist as YES, but they appear blank. I'm using the query below to do that, but it does not work for wildcard domains. I want the table to show a column "whitelist" with YES if the domain is in the whitelist. I have a whitelist csv inputlookup with the following: This index is used in a search in a dashboard, where I have a table showing relevant fields. I have an index where one of the relevant fields is a domain.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |