We're using the Azure Monitoring Data Add-on to integrate Splunk and Azure. The Azure events have the subscription ID value (fields name is am_subscriptionId) in each of the events. I would like to be able to put a name/email address to the subscription. I have a lookup table configured which has the fields subscriptionID, subscriptionName, and subscriptionContact. I have attempted to use lookups to no avail. Below is my search. I would like to have a table result with the am_subscriptionId, subscriptionName, and subscriptionContact displayed.
| lookup azure_subscription_id_to_support_group subscriptionID AS am_subscriptionId OUTPUT subscriptionName