Re: not able to display a column displaying data f...

ajromero · ‎06-24-2020

I have this search that actual display all the data I want, but I need to add one more column to display the user full name, so far I get this display

here is the query:

sourcetype=MSExchange:*:MessageTracking source_id=SMTP (event_id=RECEIVE) user_bunit=Energy (recipient_domain="x.com" OR recipient_domain="x.com")
| stats count as RECEIVE by recipient
| append [search sourcetype=MSExchange:*:MessageTracking source_id=SMTP (event_id=SEND) user_bunit=Energy (recipient_domain="x.com" OR recipient_domain="x.com")
|stats count as SEND by recipient]
| append [search sourcetype=MSExchange:*:MessageTracking user_bunit=Energy tag=delivery (recipient_domain="x.com" OR recipient_domain="x.com")
| stats count as delivery by recipient]
|lookup EnergyAD.csv src_user_nick as src_user_nick
| stats values(SEND) as SEND,values(RECEIVE) as RECEIVE, values(delivery) as delivery, values(src_user_nick) as src_user_nick by recipient

| rename recipient as "Email Account" SEND as "Outbound Messages" RECEIVE as "Inbound Messages" delivery as "Internal Messages"

displays this: it does not show anything under src_user_nick (which is the user full name)

The_Simko · ‎06-24-2020

In your example, the lookup table isn't using any fields to do the lookup with.

What field matches in the lookup table? I'm guessing recipient
So you'd need:

| lookup EnergyAD.csv recipient OUTPUT src_user_nick

The above needs recipient to match a field named recipient. See https://docs.splunk.com/Documentation/Splunk/8.0.4/SearchReference/Lookup

ajromero · ‎06-29-2020

that solve the issues thanks

not able to display a column displaying data from a lookup table

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!