Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup file data in a search string

rashi83
Explorer
‎02-25-2020 08:11 AM

Hi ,

I have following search string , where Username field is extracted using rex command . Now I want to use a lookup file which has field "user" which matches the extracted "Username" field . How can I use lookup commands to match this and get more interested fileds like Office in the search string
index="x"
| rex field=_raw "(?:Users%5C)(?(.*))(?:%5C(local|input))"

0 Karma
Reply

vnravikumar
Champion
‎02-25-2020 08:46 AM

Hi

Try like

...your query |lookup <<lookupname>> user AS Username OUTPUT Office
0 Karma
Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!