My search isnt showing data from lookup list

rtalcik · ‎03-26-2020

What my search is trying to do is whenever the search matches an item in the lookup list it should display the results which I can turn into an alert. however, it is not working or displaying results and I cant figure out why

rtalcik · ‎03-27-2020

thanks for answering -- however I ALWAYS have this this problem when i do it that way

Last 24 hours
Error in 'lookup' command: Must specify one or more lookup fields.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

and it is specifying a field in the lookup table

Richfez · ‎03-26-2020

Oh goodness, you are inputlookup'ing and smashing together data you can just 'lookup'.

(index=cisco* OR index=proxy) dest_ip="" OR domain=""
| rename dest_ip as emotet_ip
| rename domain as emotet_domain
| lookup emotet-lookup OUTPUT emotetDomain

That should match all matching fields up, and return emotetDomain from them. Simply and quickly.

rtalcik · ‎03-27-2020

i posted -- i always have an issue with your method.

My search isnt showing data from lookup list

Enterprise Security Content Update (ESCU) | New Releases

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...