![]() The subsearch would translate your lookup into the query ((Domain="bad.com") OR (Domain="bad.biz"). With your case there are two ways that I can think about this being done offhand, with certain tradeoffs: Assuming you have a lookup defined named baddomains with the field Domain one way to search would be: sourcetype=weblogs ![]() outputlookup takes the current event set and writes it to a CSV or KVStore.inputlookup takes the the table of the lookup and creates new events in your result set (either created completely or added to a prior result set). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |