Databases Reference
In-Depth Information
All that we have to do is match the event and reset the index.
[contains_password_1]
DEST_KEY = _MetaData:Index
REGEX = Password reset called
FORMAT = sensitive
Things to note are:
• In this scenario, you will probably make multiple transforms, so be sure to
make the name unique
•
DEST_KEY
starts with an underscore
•
FORMAT
does not start with
index::
• The index
sensitive
must exist on the machine indexing the data, or the
event will be lost
Lookup definitions
A simple lookup simply needs to specify a filename in transforms.conf, thus:
[testlookup]
filename = test.csv
Assuming
test.csv
contains the columns
user
and
group
, and our events contain
the field
user
, we can reference this lookup by using the
lookup
command in search,
as follows:
* | lookup testlookup user
Or, we can wire this lookup to run automatically in
props.conf
, thus:
[mysourcetype]
LOOKUP-testlookup = testlookup user
That's all you need to get started, and this probably covers most cases. See the
Using lookups to enrich data
section in
Chapter 6, Extending Search,
for instructions
on creating lookups.
Wildcard lookups
In
Chapter 9
,
Summary Indexes and CSV Files
, we edited
transforms.conf
but did
not explain what was happening. Let's take another look. Our transform stanza looks
like this:
[flatten_summary_lookup]
filename = flatten_summary_lookup.csv
match_type = WILDCARD(url)
max_matches = 1
Search WWH ::
Custom Search