Hi i'm having trouble trying to to do the following:
I have a search which pulls the event_id, which i would like to compare against the first lookup_file1 [alert_id] which contains a column called alert_id, and in turn list the associated severity values from the next column.
lookup1 = alert_id
(col names)
alert,alert,id,class,severity
I would then like to compare the above results to lookup_file2 [alert_severity] and take the previous severity values and list the severity_message
lookup2 = alert_severity
(col names)
severity,severity_message
Past Attempts:
index="zsecure_test" | fields alert_id
|lookup alert_id alert_id | dedup alert_id |append [lookup alert_severity severity_message]|table alert_id, class, severity, severity_message
index="zsecure_test" | fields alert_id
|lookup alert_id alert_id | dedup alert_id |table alert_id, class, severity
|append [inputlookup alert_severity | fields + severity_message]
thanks
Hi becksyboy,
use two times lookup command
index="zsecure_test"
| fields alert_id
| dedup alert_id
| lookup alert_id alert_id OUTPUT class severity
| lookup alert_severity severity OUTPUT severity_message
| table alert_id class severity severity_message
Bye.
Giuseppe
Hi becksyboy,
use two times lookup command
index="zsecure_test"
| fields alert_id
| dedup alert_id
| lookup alert_id alert_id OUTPUT class severity
| lookup alert_severity severity OUTPUT severity_message
| table alert_id class severity severity_message
Bye.
Giuseppe
Thanks Giuseppe! works great