Re: inputlookup subsearch not working in a dashboa...

hugohctint · ‎04-23-2018

sourcetype="SIPPRD" NOT [inputlookup Login_Exclusion_User.csv |fields LOGIN_EXCLUSION_USER] AND NOT [inputlookup Login_Exclusion.csv |fields LOGIN_EXCLUSION] AND NOT [inputlookup Login_Exclusion_OS.csv |fields LOGIN_EXCLUSION_OS] AND ACTION_NAME IN ("LOGON", "LOGOFF", "LOGOFF BY CLEANUP")|table TIMESTAMP, USERNAME, ACTION_NAME,

It run fine as admin as report or dashboard but if misses the input lookup subsearch if it runs as any other user in a dashboard but runs fine on a report under any user. Even I assigned the user to the admin role and still not running.
If a just put the "|inputlookup Login_Exclusion_User.csv |fields LOGIN_EXCLUSION_USER" alone it reads the file correctly.

woodcock · ‎04-23-2018

Check BOTH lookup files to make sure that they are BOTH set to have App and not Private for Sharing.

hugohctint · ‎04-24-2018

I checked and there are all global but still the same result. Ignoring the inputlookup subserch. Any other suggestion? Thanks

ssadanala1 · ‎04-23-2018

Can you try re writing the search like this and try

sourcetype = *SIPPRD ACTION_NAME IN ("LOGON", "LOGOFF", "LOGOFF BY CLEANUP")||table TIMESTAMP , USERNAME,ACTION_NAME |search NOT [inputlookup Login_Exclusion.csv |fields LOGIN_EXCLUSION] |search NOT [inputlookup Login_Exclusion_OS.csv |fields LOGIN_EXCLUSION_OS]

Let know if any this search runs any resultss

hugohctint · ‎04-23-2018

Hi Ssadanala1, It runs with the same results, no difference, still the same issue.

hugohctint · ‎04-23-2018

thanks, any other idea?

inputlookup subsearch not working in a dashboard as user other than admin

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024