Splunk Search

Do lookup fields work in conjunction with fields that have been created using rex in the search string?

Splunkster45
Communicator

Do lookup fields work in conjunction with fields that have been created in the search string?

The output of user gives me user IDs and I created a lookup table to change the IDs into names, however it is not working. The lookup changes the field 'user' to 'name' and the search string is of the following:

rex field=_raw ".*Login succeeded for user: (?<user>.*)" | chart count over name

I apologize that there isn't a lot of detail here into how I did it, however I do believe that the metholody is correct. I created another lookup for an prepopulated field and that seemed to work just fine. I can't get the look up to work for the rex field. Is this even possible?

Any ideas? Thanks in advance!

Tags (4)
0 Karma

jimodonald
Contributor

You need to include the lookup command in your search. See the documentation here.

Assuming your lookup table was named "usernames", your search would look something like this:

rex field=_raw ".*Login succeeded for user: (?<user>.*)" | lookup usernames user OUTPUT name | chart count over name

Splunkster45
Communicator

Thanks for the tip; I've got a related question, now.
I tried running this command, but keep getting an error message stating that the look up table does not exist.

Searching by this error message, it seems that other answers to similar questions state that something needs to be done to either the config file or the props file. Currently, I don't have access to modify either of those files. Is one of these files where the lookup table name comes from? If not, then where?

The way that I've inserted the lookup file into splunk is by creating an automated lookup (using all 3 options: Lookup Table, Lookup Definition, Lookup Automation). Does one of these steps need to be referenced for the lookup table name. Everything I've tried hasn't worked yet.

0 Karma

jimodonald
Contributor

Yes, you need to create the lookup table and upload it to the Splunk server before you can use it to preform lookups.

The process is well documented in the Knowledge Manager Manual and in section 5 of the Splunk Tutorial (which I highly recommend). Alternatively, I would recommend talking with your Splunk Admins.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...