Files

Some administrators may want attach or replace text from events recorded in a repository when searched. You can do this by creating CSV (comma-separated values) files and uploading them to the repository. These files can be used together with query functions. Click on the Files tab of the User Interface to add and manage such CSV files.

Loading Files

To upload a CSV file, click on the circled plus-sign (i.e.,⊕) at the top of the left margin. This will open a small box that will give you two choices: create a new file, or upload a file. If you choose to upload a file, a file browser box will appear for you to select a file on your local machine.

You might upload a CSV file be containing text like what you see below, which is essentially a lookup table that you can use for labels or value lookups.

yaml
userid,ip,username,region
1,"212.12.31.23","pete","EU"
2,"212.12.31.231","bob","EU"
3,"98.12.31.21","anders","EU"
4,"121.12.31.23","jeff","US"
5,"82.12.31.23","ted","AU"
6,"62.12.31.23","annie","US"
7,"122.12.31.23","joe","CH"
8,"112.11.11.21","alice","CH"
9,"212.112.131.22","admin","RU"
10,"212.12.31.23","wendy","EU"

Once it has been uploaded, it will look like what you see in Figure 1 here. You would use such a data table together with the lookup() and match() functions to add labels to the results of a search. Notice that the values are in quotes, except for the ones for userid, which are integers. See the Lookup API reference page for more information on this topic.

Figure 1, Loaded CSV File

Once you’ve uploaded a CSV file, you can edit the data — you don’t have to maintain the data in the CSV file and upload it again. Instead, just click on whichever field you want to edit and change it on the Files screen.

If you want to add another row to the data, click on the plus-sign at the bottom left of the table (see highlights in Figure 1). To add another column to be able to provide more fields to lookup, click on the plus-sign at the top right of the table. When you’re done editing, click the purple Save button at the top right.

Editing a data table through the Files interface page can be tedious. If you have many changes to make, you can download the file by clicking the Download button and then edit it in a spreadsheet program or a simple text editor, — whatever you prefer. You’ll have to delete the uploaded table by clicking on the circled x (i.e.,⊗), and then upload the file again.