Here is the search and lookup,
I need to capture the value, last_logon_lookup_20180928.csv
We need the value in bold above as a value in a field in the results called sourcefile
Search is shown below
index=wineventlog sourcetype=WinEventLog:Security [| inputlookup last_logon_lookup_20180928.csv
| fields Account_Name] | lookup last_logon_lookup_20180928.csv Account_Name output Account_Name LASTLOGON
| table Account_Name LASTLOGON sourcefile
One thought we had was to use the REST API, but we could not get that integrated in the search to produce the required results
This gets us the lookup filename
| rest /services/data/transforms/lookups | search filename=*last* |table sourcefile
Thanks In Advance
Robert
Try this:
index=wineventlog sourcetype=WinEventLog:Security
[| inputlookup last_logon_lookup_20180928.csv
| fields Account_Name]
| lookup [ |rest/services/data/transforms/lookups | search filename=*last* | head 1 | return $filename ] Account_Name OUTPUT Account_Name LASTLOGON
| table Account_Name LASTLOGON sourcefile
index=wineventlog sourcetype=WinEventLog:Security [| inputlookup last_logon_lookup_20180928.csv
| fields Account_Name] | lookup last_logon_lookup_20180928.csv Account_Name output Account_Name LASTLOGON
|eval sourcefile="last_logon_lookup_20180928.csv"
| table Account_Name LASTLOGON sourcefile
Hi Robert! I'm not sure which part of the main search is dynamic: Is it both the "last_logon_lookup_20180928.csv" occurrences or is it "sourcefile" at the very end?
How about using a dashboard with a token?