Here is my query
> index="test" (source="*28q*" OR
> source="*29q*") | bucket _time
> span=1d as day | rex field=_raw
> "(?P<Client_IP>\S+) - (?P<LanID>\S+)
> \[\d+\/\w+\/\d+:\d+:\d+:\d+
> -\d+]\s\"(?P<Http_Method>\w+)\s+(?P<URL>\S+)\s\S+\s(?P<HTTP_status>\d+)\s+(?<Bytes>\d+)"
> | search LanID !="-" | stats
> latest(_time) AS Last_Active_Time,
> earliest(_time) AS First_Active_Time
> by LanID,day | convert
> ctime(Last_Active_Time) | convert
> ctime(First_Active_Time) | lookup
> Markdowns-EndUserTracker LanID
> OUTPUTNEW "User Name",Role | rename
> LanID as Users, HTTP_status as
> "HTTP_code", source as "LogPath" |
> table Users,"User
> Name",Role,Last_Active_Time,First_Active_Time,
> source, HTTP_code
When i run this query, source field is empty. When i try to print source field directly ( without lookup ) i am getting the results. When i add lookup, why will data from previous search no longer be available ?
... View more