Just proved myself wrong, I can user coalesce.   eval account=coalesce(account,uid)   if not found it will just list the uid. Thanks. ... View more

Only issue with that from what I see is if there is no value in the table for uid lookup, then nothing is returned. Which means that possibly an unresolved audit record will not be shown in the table. I was going to enhance my python script to return the uid if the lookup was unsuccessful, so at least the unresolved uid would be shown in the query. ... View more

Thanks I'll check the link, I've read till my eyes have bled. Here's what I'm doing. A dashboard query similar to sourcetype=linux_audit............. | stats by uid,host which gives me a table of uid and hosts. Unfortunately the audit records in question don't have the user account name, just the uid. What I want to do is turn that table into user, host by passing the uid's to a python script like import sys import pwd arg=int(sys.argv[1]) results=pwd.getpwuid(arg).pw_name print(results)   My python scripts works as expected and I can call it from the command line with the expected results. I made an entry in transforms.conf.   what's tripping me up is how to invoke it correctly. ... View more