I am trying to run a query where it compares a search result field against a field in the lookup table. I was able to get it working, but then I am trying to also show the corresponding field with that object that is located in the lookup table.
This is what I have so far
index=zscaler sourcetype="zscaler:syslog:zscaler_web_policy"
[| inputlookup "riskiq_last_status"
| return 1000 $name]
|table url status
It is just matching the name field in the lookup table to the url field in the index search query. I am guessing the status field is blank because there isnt a status field in the index search results....
How do I add a a field in the lookup table to the search query results?
You are using the lookup as a filter to the outer search. If you want to add fields to the data reported, then you use the lookup as a lookup, i.e.
| lookup riskiq_last_status name as url OUTPUT status
Hope this helps
Thanks for the reply,
I tried that and I still get nothing in the status, the only thing I can think of is that the data in the url field doesnt exactly match what is in the lookup table.
Lookup table value = carecredit.citymaps.com
Search field value = carecredit.citymaps.com/
Is there a way to do a contains lookup instead of a exact match?
I did a eval and trimmed the / at the end before it did the lookup function and it returns the monitor now.
The question is now how can I do a wildcard lookup because this is doing a exact lookup on the status field.
You can add the * character to the value of the field in the lookup file and in the advanced options part of the lookup definition for that lookup, make that field a wildcard field in the match type, e.g. WILDCARD(name)