I have a really simple query that I'd like to join with Enterprise Security's Identity inputlookup and grab a field from there.
Here is the simple SPL:
index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| table _time user
Trying to use a join to grab the data:
index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| join type=left overwrite=true user
[ |inputlookup my_identity_lookup | search identity=user | fields priority ]
| table _time user priority
But the priority field returns blank. Would appreciate any help fixing this!
Thanks in advance!
You must use fieldname after AS. Your base search Please try below;
| lookup my_identity_lookup identity AS user OUTPUT priority
Understood. When I try that it throws the error:
Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'my_identity_lookup, identity, AS, user, OUTPUT, priority'. See search.log for more details..
SPL is
index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup my_identity_lookup identity AS user OUTPUT priority
| table _time user priority
Hi @cbschreiber,
You can use lookup command without join and subsearch;
index=pan sourcetype="pan:system" log_subtype=globalprotect description IN ("GlobalProtect gateway client configuration generated*")
| lookup my_identity_lookup identity AS user OUTPUT priority
| table _time user priority
you are joining on 'user' but you don't return user in the subsearch, only priority. Change to
| fields user priority
Hi Bowesmana,
I tried this but it did not help. Thank you for chiming in.