Hi .
I have using the different eventtypes for my search query like this ..
1.et_Accepted
2.et_Rejected
3.et_Exception
Now i have given in my lookup table like this..
eventtype,Name
et_Accepted Accepted
et_Rejected Rejected
et_Exception Exception
Now when run the query like this ...
sourcetype="A" | top Name
its not giving me the output..
Please Help !
No you can not. Or rather, you can, but the lookup must be explicitly specified with the lookup
search command. This is because eventtypes are assigned after automatic lookups are run. You can work around this with:
sourcetype=A | lookup mylookup eventtype OUTPUT Name | top Name