Hi,
I have defined an eventtype in Splunk for a particular search. I defined a lookup which had this eventtype as a key value to retrieve data. Based on this eventtype, i was fetching error_type and error_message from the lookup file. But i was not able to fetch the same. Please suggest.
Should work. Say you have a lookup like this:
eventtype,error_type,error_message
foo,"some error","some message"
Then this search should yield results:
eventtype=foo | lookup eventtype_lookup eventtype OUTPUT error_type error_message | table _time eventtype error_type error_message
Could you please provide more details on how you're using the eventtype in lookup? Possible a sample search that you wrote and didn't work?