Hi,
I'm having some issues with external lookup fields based on a static file.
When defining the csv static file used as input, the particular type of entry is as follows:
facility,priority,category,message,kernel_message,
...
%KERN,6,KERN_ARP_ADDR_CHANGE,,KERN_ARP_ADDR_CHANGE: arp info overwritten for from to ,
...
This is also referred in props.conf with the following parameters (have also tried other several combinations without success):
[prioritydata]
lookup_table = priority-lookup kernel_message OUTPUT facility priority message
However, I cannot add the intended fields to search outputs with a query like:
| lookup priority-lookup kernel_message OUTPUT priority
It works however for other types of messages where the lookup is based on category, if the entry in props.conf is properly adapted for it. In this case, category is a simple string with no blank spaces.
- Newbie questions:
[1] Does such an input lookup work if the specific field contains blank spaces and more than a single string?
[2] Ideally, I would want to achieve a situation where either a lookup in the category OR in the kernel_message fields provides and adds the priority.
Is this an AND or an OR of both input fields?
lookup priority-lookup category kernel_message OUTPUT priority
Would it be possible to achieve such lookup (one field OR the other) with a single lookup instruction? The input csv file contains one field filled or the other, never both of them.
Thanks,
Gonzalo