Is it possible to have a lookup table keyed off of an extracted field?
Given the props:
[foo]
EXTRACT-bu = ^(?<bu>.{5})\- in host
LOOKUP-bu = bu_fields bu
and the transforms:
[bu_fields]
filename = buFields.csv
Should this work?
I believe the lookuptable is there, because this works as expected:
sourcetype="foo" | lookup bu_fields bu
Yes of course. In fact almost all fields are extracted, so this is what lookups normally do. Generally, the order at search time is:
This answer was written before calculated fields. Now that we have calculated fields: 4.5 = EVAL (calculated fields)
I think an indexed field is the answer in this case.
or by using where
or search
after the initial search, or by creating an indexed field.
well, actually, are you trying to do a reverse lookup? that won't work if the extracted value is not from the _raw
field, and yours is from host
. the forward lookup should work okay though. You can make it work with much-diminished performance by setting INDEXED_VALUE = false in fields.conf for the bu
field.
Yeah, I've made it work with another test, so something is weird in that config.
Looks like I'll need to make an indexed field out of bu if I want to search against the fields in the lookup, though.