This is my search...
index=webproxy
| regex user=".+a"
| top 100 user
| eval user_name=substr(user,1,5)
I have a lookup table that uses the filed user to enrich my data.
How can I pass the newly defined field user_name
to the lookup to give me the enriched results?
I figured it out
index=webproxy earliest=-9d
| regex user=".*.a$"
| top 100 user
| eval user_name=substr(user,1,5)
| eval user=user_name
| lookup people_table user
I figured it out
index=webproxy earliest=-9d
| regex user=".*.a$"
| top 100 user
| eval user_name=substr(user,1,5)
| eval user=user_name
| lookup people_table user