Hello Community, I have a lookup file policy_search.csv that has search criteria to find specific policy events in my data. The file looks like this: #, policy, search_criteria 1, policyA, (policy="policyA") OR 2, policyB, (policy="policyB" AND (protocol="X" OR protocol="Y")) OR 3, policyC, (policy="policyC" AND channel="ch1") OR I want to produce a search like the one below, but using the criteria in the lookup: index=events | search (policy="policyA") OR (policy="policyB" AND (protocol="X" OR protocol="Y")) OR (policy="policyC" AND channel="ch1") | table incident policy protocol channel How could I do that? the idea is to maintain the search criteria in the lookup file and have changes reflected automatically in our reports. I'm looking for something like index=events | search [| inputlookup policy_search.csv | stats values(search_criteria)] | table incident policy protocol channel I really appreciate any help. Thank you very much! Adan Castaneda
... View more
