I have two sources from Log files: “source1web”, “source2auth”, they both list IP addresses, but are named differently, source1web the field is “Server”, “and source2auth is “IP1”.
I need to check both logs against a lookup table “lookup1” the field in the lookup table is “Server”
Searching against 1 source works
index=index1 sourcetype=source1web [| inputlookup lookup1.csv | fields Server] |
index=index1 sourcetype=source2auth [| inputlookup lookup1.csv | fields Server | rename Server as IP1] |
when I have tried to combine the 2 it doesn't produce any results
... View more