Hi, I am trying to do a Lookup with a calculated field.
Details:
I have a csv containing three coloumns:
DomainName,ThreatName,Date
And my base search has a field "DomainName" which contains domains with "www." appended in some of the domains results.
So I formulated my search like:
base search
| eval calcDomainName = replace(DomainName,"www\.", "")
| lookup iocs_domains DomainName as calcDomainName OUTPUT ThreatName, Date
| table xalcDomainName ThreatName Date
In my Lookup Definition, I have put "no_match" as my default.
However when searched with above, I dont get any fields like "ThreatName", "Date" in my output.
My Lookup is uploaded in search app and permissions are read for everyone. I am also searching the same under Search App only. And I can view contents of my csv with below command under Search & Reporting App:
| inputlookup iocs_domains
I even verified order of processing, in which calculated field preceeds Lookup.
Unable to understand what am I doing wrong.
That is not a Calculated Field. Calculated fields are done automatically rather than via an eval statement in a query.
Have you verified the replace function is working properly? Another way to make the same change is using the rex command.
| rex field=DomainName mode=sed "s/www\.//"
Ok, that clarifies. Yes the the replace is working perfectly.
Then please share some sample events and sample lookup table entries so we can help troubleshoot further.
That is not a Calculated Field. Calculated fields are done automatically rather than via an eval statement in a query.
Have you verified the replace function is working properly? Another way to make the same change is using the rex command.
| rex field=DomainName mode=sed "s/www\.//"
I replaced eval with rex and things started to work. Seems lookups doesnt work on eval fields.