https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407433#M190936 <P>To rename a field use '<EM>rename</EM>' command not '<EM>stats</EM>' which is to categorize data based on a particular field.</P> <PRE><CODE>index=identities sourcetype="Vantage" ee_status=* earliest=-1d@d latest=-0d@d | eval user = trim(replace(email, "@domain.com", "")) | search [| search index="wineventlog" sourcetype="WinEventLog:Security" (EventCode=4624 AND Logon_Type=2) OR EventCode=4625 earliest=-10m latest=now() | table user ] | eval fullname = toString(ad_fname) + " " + toString(ad_last_name) | table user,department,ad_fname,ad_last_name, Workstation_Name | rename user as "Login ID", fullname as "Full Name", department as Department, Workstation_Name as Device </CODE></PRE> <P><STRONG>Reference:</STRONG><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Stats">https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Stats</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rename">https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rename</A></P> Fri, 26 Jul 2019 05:19:28 GMT jawaharas 2019-07-26T05:19:28Z https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407432#M190935 <P>New to Splunk and having a difficult time returning the correct results. The below query works... meaning that it converts the email address to <STRONG>user</STRONG> from the <STRONG>identities</STRONG> index and successfully looks up the value of <STRONG>user</STRONG> in the <STRONG>wineventlog</STRONG> index that contain either <STRONG>EventCode 4624</STRONG> or <STRONG>4625</STRONG> based on the provide critera. However, when the <STRONG>stats</STRONG> are listed in the table after the query has completed, the <STRONG>values(user) as "Login ID"</STRONG> does not line up with <STRONG>values(fullname) as "Full Name", values(department) as Department</STRONG> and the <STRONG>device</STRONG> name does not show. <STRONG><EM>Example: Login ID = tJones Full Name = Sammy Smith</EM></STRONG> The goal is to have all the fields line up simular to Tjone | Tom Jones | Department Name | Device. Thanks in advance for any assistance provided. </P> <PRE><CODE>index=identities sourcetype="Vantage" ee_status=* earliest=-1d@d latest=-0d@d | eval user = trim(replace(email, "@domain.com", "")) | search [ | search index="wineventlog" sourcetype="WinEventLog:Security" (EventCode=4624 AND Logon_Type=2) OR EventCode=4625 earliest=-10m latest=now()| fields user| format] | table user,department,ad_fname,ad_last_name, Workstation_Name | eval fullname = toString(ad_fname) + " " + toString(ad_last_name) | stats values(user) as "Login ID", values(fullname) as "Full Name", values(department) as Department, values(Workstation_Name) as Device </CODE></PRE> Thu, 25 Jul 2019 22:14:16 GMT https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407432#M190935 lbrhyne 2019-07-25T22:14:16Z https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407433#M190936 <P>To rename a field use '<EM>rename</EM>' command not '<EM>stats</EM>' which is to categorize data based on a particular field.</P> <PRE><CODE>index=identities sourcetype="Vantage" ee_status=* earliest=-1d@d latest=-0d@d | eval user = trim(replace(email, "@domain.com", "")) | search [| search index="wineventlog" sourcetype="WinEventLog:Security" (EventCode=4624 AND Logon_Type=2) OR EventCode=4625 earliest=-10m latest=now() | table user ] | eval fullname = toString(ad_fname) + " " + toString(ad_last_name) | table user,department,ad_fname,ad_last_name, Workstation_Name | rename user as "Login ID", fullname as "Full Name", department as Department, Workstation_Name as Device </CODE></PRE> <P><STRONG>Reference:</STRONG><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Stats">https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Stats</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rename">https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Rename</A></P> Fri, 26 Jul 2019 05:19:28 GMT https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407433#M190936 jawaharas 2019-07-26T05:19:28Z https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407434#M190937 <P>Thank you Jawaharas, that worked! The last thing I'm still not able to pull into the report is the Device name from the wineventlog, as it remains to be blank. </P> Fri, 26 Jul 2019 13:51:41 GMT https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407434#M190937 lbrhyne 2019-07-26T13:51:41Z https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407435#M190938 <P>Kindly accept the answer it it helped you, so others can refer it. </P> <P>The field names are case sensitive. Verify the field name 'Workstation_Name'</P> Sat, 27 Jul 2019 03:51:10 GMT https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407435#M190938 jawaharas 2019-07-27T03:51:10Z https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407436#M190939 <P>You should click <CODE>Accept</CODE> to close this question and if you have something different (even if related), ask another.</P> Sun, 28 Jul 2019 13:13:49 GMT https://community.splunk.com/t5/Splunk-Search/lookup-value-based-on-current-search-results/m-p/407436#M190939 woodcock 2019-07-28T13:13:49Z