Hi,
I have 2 queries:
Query1:
Message1,EventCode,Status
aaaaa,4625,0XC0000234
Query2:
Status,EventCode,action
0xC0000234,4625,denied
0XC0000234,4776,failure
*note the lower and uppercase "x". Case sensitive
In Query1, the status field is always uppercase (e.g. 0XC0000234 and not 0xC0000234 nor 0xc0000234)
When i perform a search and lookup:
index=a host=b | table Message1,EventCode,Status
| lookup blabla.csv Status OUTPUT action
I'm getting the output:
Message1,EventCode,Status,action
aaaaa,4625,0XC0000234,failure
Above is incorrect as 4625 should return "denied" instead of "failure"
How do i do a lookup to first:
Or is there a better way aside from the 2 points i mentioned above?
Appreciate the help!
index=a host=b | table Message1,EventCode,Status
| lookup blabla.csv Status EventCode OUTPUT action
If the lookup is file based, you can check/uncheck the case sensitive box (in lookup definitions - advanced settings)