When i add a lookup search, source field goes miss...

premraj_vs · ‎07-02-2018

Here is my query

> index="test" (source="*28q*" OR
> source="*29q*")  | bucket _time
> span=1d as day | rex field=_raw
> "(?P<Client_IP>\S+) - (?P<LanID>\S+)
> \[\d+\/\w+\/\d+:\d+:\d+:\d+
> -\d+]\s\"(?P<Http_Method>\w+)\s+(?P<URL>\S+)\s\S+\s(?P<HTTP_status>\d+)\s+(?<Bytes>\d+)"
> | search LanID !="-" | stats
> latest(_time) AS Last_Active_Time,
> earliest(_time) AS First_Active_Time
> by LanID,day | convert
> ctime(Last_Active_Time) | convert
> ctime(First_Active_Time) | lookup
> Markdowns-EndUserTracker LanID
> OUTPUTNEW "User Name",Role | rename
> LanID as Users, HTTP_status as
> "HTTP_code", source as "LogPath" |
> table Users,"User
> Name",Role,Last_Active_Time,First_Active_Time,
> source, HTTP_code

When i run this query, source field is empty. When i try to print source field directly ( without lookup ) i am getting the results. When i add lookup, why will data from previous search no longer be available ?

renjith_nair · ‎07-02-2018

Hi @premraj_vs,

In your base search your source field is filtered by stats | stats latest(_time) AS Last_Active_Time,earliest(_time) AS First_Active_Time by LanID,day and in lookup you are renaming source source as "LogPath". So there are no source fields to print. If you want to print source from the base search, include source also as part of stats command.

---
What goes around comes around. If it helps, hit it with Karma 🙂

When i add a lookup search, source field goes missing

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!