Hi All, I have a lookup table that looks like:
Key,value
cat1,val1
cat2,val2
cat3,val3
this is in a lookup file called keyvalpairs.csv
i want to query the look up table to return value when a key is passed in.
key is a concat of two field values in a search
i want a
pseudo query
that looks something like,sourcetype = * | eval keyfield = field1."#'.field2 | lookup keyvalpairs.csv [where Key = keyfield] OUTPUT value |
so that the concat of field1 and field2 from the events is looked into the CSV and the corresponding value is printed..
is this doable?