output lookup search correlation with input lookup...

brdr · ‎04-23-2018

Hello, can you use a output lookup table just after creating it? I have this search...

When I run this I get no data found, however, when I separate out the outputlookup command and the subsearch and run I get results as expected.

brdr · ‎04-23-2018

reposted initially as an Answer: reposting as a comment:

My use case is:
I need a count of users by there business units. To do this I do:
output list IPs as seen in blue coat logs
index=indexA sourcetype=mystA | table src | outputlookup new.csv
using this list (new.csv) match on IP to get user name from our authentication data (indexB) to display business unit
| search index=indexB sourcetype=mystB [| inputlookup new.csv | table src | rename src as src_ip ]
| table user
| lookup user.csv uname as user OUTPUT displayName businessUnit
| stats count by businessUnit

brdr · ‎04-23-2018

My use case is:

I need a count of users by there business units. To do this I do:

output list IPs as seen in blue coat logs
index=indexA sourcetype=mystA | table src | outputlookup new.csv
using this list (new.csv) match on IP to get user name from our authentication data (indexB) to display business unit
| search index=indexB sourcetype=mystB [| inputlookup new.csv | table src | rename src as src_ip ]
| table user
| lookup user.csv uname as user OUTPUT displayName businessUnit
| stats count by businessUnit

somesoni2 · ‎04-23-2018

I don't think you can do that. What's your use case here?

output lookup search correlation with input lookup data

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life