Hi,
Usually lookups aren't an issue, but today seems it is. I'm hoping this is just a pebcak ;) This is the first time I'm attempting to run a lookup on eval fields rather than search-time extractions.
Anyway, to the issue.
I have a search `index=ibm_xiv sourcetype="xiv:volpool"` and this is OK. I then use eval to split a field value into a couple of new fields using `| eval temp=split(vol_name,"_"), environment=mvindex(temp,0), channel=mvindex(temp,1)`. All is well. The 2 new fields are populated with the correct values which are abbreviations. Now I have created 2 CSV files to translate these abbreviations, created the lookup tables and definitions.
Both files are in the same format: Both the channel and environment column contain the abbreviations.
channel.csv = **"channel","friendlyName"**
environment.csv = **"environment","friendlyName"**
No matter how I configure an automatic lookup, it makes no difference what so ever.
Executing this works:
index=ibm_xiv sourcetype="xiv:volpool" | eval temp=split(vol_name,"_"), environment=mvindex(temp,0), channel=mvindex(temp,1) | lookup XIVChannels channel as channel OUTPUT friendlyName as channel
Having `XIVChannels channel AS channel OUTPUT friendlyName AS channel` as an automatic lookup does not :(
Am I doing something wrong, or do I assume that at search-time the lookup is done after the evals (which is why it works on a manual search), but an automatic lookup is done before the evals?
TIA
Steve
↧