output lookup search correlation with input lookup...

brdr · ‎04-23-2018

Hello, can you use a output lookup table just after creating it? I have this search...

When I run this I get no data found, however, when I separate out the outputlookup command and the subsearch and run I get results as expected.

brdr · ‎04-23-2018

reposted initially as an Answer: reposting as a comment:

My use case is:
I need a count of users by there business units. To do this I do:
output list IPs as seen in blue coat logs
index=indexA sourcetype=mystA | table src | outputlookup new.csv
using this list (new.csv) match on IP to get user name from our authentication data (indexB) to display business unit
| search index=indexB sourcetype=mystB [| inputlookup new.csv | table src | rename src as src_ip ]
| table user
| lookup user.csv uname as user OUTPUT displayName businessUnit
| stats count by businessUnit

brdr · ‎04-23-2018

My use case is:

I need a count of users by there business units. To do this I do:

output list IPs as seen in blue coat logs
index=indexA sourcetype=mystA | table src | outputlookup new.csv
using this list (new.csv) match on IP to get user name from our authentication data (indexB) to display business unit
| search index=indexB sourcetype=mystB [| inputlookup new.csv | table src | rename src as src_ip ]
| table user
| lookup user.csv uname as user OUTPUT displayName businessUnit
| stats count by businessUnit

somesoni2 · ‎04-23-2018

I don't think you can do that. What's your use case here?

output lookup search correlation with input lookup data

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!