Do lookup fields work in conjunction with fields that have been created in the search string?
The output of user gives me user IDs and I created a lookup table to change the IDs into names, however it is not working. The lookup changes the field 'user' to 'name' and the search string is of the following:
rex field=_raw ".*Login succeeded for user: (?<user>.*)" | chart count over name
I apologize that there isn't a lot of detail here into how I did it, however I do believe that the metholody is correct. I created another lookup for an prepopulated field and that seemed to work just fine. I can't get the look up to work for the rex field. Is this even possible?
Any ideas? Thanks in advance!
You need to include the lookup command in your search. See the documentation here.
Assuming your lookup table was named "usernames", your search would look something like this:
rex field=_raw ".*Login succeeded for user: (?<user>.*)" | lookup usernames user OUTPUT name | chart count over name
Thanks for the tip; I've got a related question, now.
I tried running this command, but keep getting an error message stating that the look up table does not exist.
Searching by this error message, it seems that other answers to similar questions state that something needs to be done to either the config file or the props file. Currently, I don't have access to modify either of those files. Is one of these files where the lookup table name comes from? If not, then where?
The way that I've inserted the lookup file into splunk is by creating an automated lookup (using all 3 options: Lookup Table, Lookup Definition, Lookup Automation). Does one of these steps need to be referenced for the lookup table name. Everything I've tried hasn't worked yet.
Yes, you need to create the lookup table and upload it to the Splunk server before you can use it to preform lookups.