Let's say I have log entries as follows:
I want to be able to incorporate two tables that have the following data:
CITY_TABLE: host, city
STATE_TABLE: city, state
How would I be able to add CITY_TABLE and STATE_TABLE to splunk in order to obtain search results that will provide: time, event_id, host, city, state?
The problem I am having is I don't know how to get the STATE_TABLE into Splunk and to include it in my search. For example, when adding STATE_TABLE as a lookup, it asks what I field in STATE_TABLE maps to in the logs (ie we have the choice of using host, sourcetype, etc), but STATE_TABLE doesn't have those fields.
Can't you just chain your lookups?
... | lookup CITY_TABLE host OUTPUT city | lookup STATE_TABLE city OUTPUT state
Can't you just chain your lookups?
... | lookup CITY_TABLE host OUTPUT city | lookup STATE_TABLE city OUTPUT state
Thanks! This worked.