Thanks for that.
My full query is the following.
index=linux_syslog netgroup=sap* process="sshd" "session opened for user" | rex field=_raw "session opened for user (?<user>.*) by" | lookup groupLookup user OUTPUTNEW gid posixgroup given sn | convert timeformat="%d/%m/%y" ctime(_time) as login_time | search posixgroup="groupname" | chart values(posixgroup), values(given), values(sn), latest(login_time) by user | rename user AS "User" | rename values(posixgroup) AS "Groups" | rename values(given) AS "Given Name" | rename values(sn) AS Surname | rename latest(login_time) AS "Last Login"
I think the reason this is not working is because the firstname (given) and the surname (sn) are being generated only by the lookup, not take from the actual log itself, therefore it fails.
Now unless there is some nifty way I can do this the only other way to get around this is to just export the data into the lookup
lookup groupLookup user OUTPUTNEW gid posixgroup given sn fullname
... View more