I have a few web application reports and they are great, except the log data only has the user's IP address, which I want to map to user names. I have good mapping data from my DHCP. But, I've been unable to find how I can use a data table to map the user name in for the IP address in my output table.
I'm using splunkcloud. Any pointers on how this can be done?
You could use your DHCP as a static lookup, then join within the query using 'lookup' or 'inputlookup' command.
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/lookup
Can you provide some sample events from DHCP and user data?
The DHCP data is not emitted into Splunk. It's just a static map of IP->User. I have it as an external CSV file, which I can import into Splunk if needed. My goal is then to use that mapping table of IP:User to swap out IP address for user names in my report table.
You can try uploading csv file as lookup and then map it with your report. This may help:
http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchTutorial/Usefieldlookups