Databases Reference
In-Depth Information
We now have a fully automatic lookup, enriching the source type
impl_splunk_gen
based on the value of
user
in each event. To show the power of this lookup, let's
search for a field in the lookup file, as if it were part of the events:
source="impl_splunk_gen" department="HR" | top user
Even though
department
isn't in our events at all, Splunk will reverse the lookup,
find the values of
user
that are in
department
, and run the search for those users.
This returns the following result:
Let's combine this search with an event type that we defined earlier. To find the most
recent failed login for each member of HR, we can run:
source="impl_splunk_gen" department="HR" eventtype="failed_login"
| dedup user
| table _time user department city state
This returns:
The
dedup
command simply says to keep only one event for each value of
user
. As
events are returned in the "most recent irst" order, this query will return the most
recent login for each
user
.
We will configure more advanced lookups in later chapters.
Search WWH ::
Custom Search