Hi Splunk Users,
My main search to find DHCP Discover logs is as below:
index=bluecat (Mac_Address) "DHCPDISCOVER"
| table _time message_option mac_address
What I am trying to achieve is I have a dashboard, so when I search the Username, it gives me all sorts of information about the Username.
My token for the username is $clientip$
I need to look up the Mac_Address from another separate CSV table called bbtable.csv and in this table, it includes the username and mac_address details.
When I run the lookup separately as below:
inputlookup bbtable.csv | search "Username" = AVCxxxxxxxxxxx | fields "MAC" | dedup "MAC"
it returns the required mac_address value I need.
When I combine the sub-search with my main search as below it fails with the message "No results found. Try expanding the time range." 😞
index=bluecat [inputlookup bbtable.csv | search "Username" = AVCxxxxxxxxxxx | fields "MAC" | dedup "MAC"]
| table _time message_option mac_address
Please help
Thank you in advance
... View more