Splunk Search
Highlighted

Do lookup fields work in conjunction with fields that have been created using rex in the search string?

Communicator

Do lookup fields work in conjunction with fields that have been created in the search string?

The output of user gives me user IDs and I created a lookup table to change the IDs into names, however it is not working. The lookup changes the field 'user' to 'name' and the search string is of the following:

rex field=_raw ".*Login succeeded for user: (?<user>.*)" | chart count over name

I apologize that there isn't a lot of detail here into how I did it, however I do believe that the metholody is correct. I created another lookup for an prepopulated field and that seemed to work just fine. I can't get the look up to work for the rex field. Is this even possible?

Any ideas? Thanks in advance!

Tags (4)
0 Karma
Highlighted

Re: Do lookup fields work in conjunction with fields that have been created using rex in the search string?

Contributor

You need to include the lookup command in your search. See the documentation here.

Assuming your lookup table was named "usernames", your search would look something like this:

rex field=_raw ".*Login succeeded for user: (?<user>.*)" | lookup usernames user OUTPUT name | chart count over name
Highlighted

Re: Do lookup fields work in conjunction with fields that have been created using rex in the search string?

Communicator

Thanks for the tip; I've got a related question, now.
I tried running this command, but keep getting an error message stating that the look up table does not exist.

Searching by this error message, it seems that other answers to similar questions state that something needs to be done to either the config file or the props file. Currently, I don't have access to modify either of those files. Is one of these files where the lookup table name comes from? If not, then where?

The way that I've inserted the lookup file into splunk is by creating an automated lookup (using all 3 options: Lookup Table, Lookup Definition, Lookup Automation). Does one of these steps need to be referenced for the lookup table name. Everything I've tried hasn't worked yet.

0 Karma
Highlighted

Re: Do lookup fields work in conjunction with fields that have been created using rex in the search string?

Contributor

Yes, you need to create the lookup table and upload it to the Splunk server before you can use it to preform lookups.

The process is well documented in the Knowledge Manager Manual and in section 5 of the Splunk Tutorial (which I highly recommend). Alternatively, I would recommend talking with your Splunk Admins.