I am trying to use a lookup table after I rex out some logs.
Here is an example:
index=* source=messages
| rex field=_raw "ACTION:[\w]\s(?.*) CODE"
| outputlookup actions.csv action OUTPUT desc AS desc
| table _time action desc
Can anyone help? Am I doing it wrong?
I think the display is eating some of your rex, so I'm not sure I can troubleshoot that part directly. If it's working at creating a field called action
, then you should only need to revise your lookup line:
| lookup actions.csv action OUTPUT desc AS desc
That will work if the events contain a field called action
. If they don't, (say, maybe they contain a field called ACTION
), then you'd do this:
| lookup actions.csv action AS ACTION OUTPUT desc AS desc
The way you have it now, you are using the command outputlookup
, which is used to literally "output a lookup file" (i.e. create a lookup file) rather than to use a lookup file to perform a lookup.
I think the display is eating some of your rex, so I'm not sure I can troubleshoot that part directly. If it's working at creating a field called action
, then you should only need to revise your lookup line:
| lookup actions.csv action OUTPUT desc AS desc
That will work if the events contain a field called action
. If they don't, (say, maybe they contain a field called ACTION
), then you'd do this:
| lookup actions.csv action AS ACTION OUTPUT desc AS desc
The way you have it now, you are using the command outputlookup
, which is used to literally "output a lookup file" (i.e. create a lookup file) rather than to use a lookup file to perform a lookup.