Hi, I'm working with Threatconnect lookup created by their add on, one of the kvstores has one field within a collection, the field name in the kvstore definition is tag, that field has multiple values for tag.name.
For example, one row will be like the following:
webLink: https://app.threatconnet.com
rating: 5.0
confidence: 80
indicator: 101.1.8.1
tag.name: malware
.name: Corebot
.name: Ransomware
![alt text][1]
The field tag is part of the supported fields, however, I'm not able to make searches over that field using lookup command
If I use `|lookup tci indicator as dest OUTPUT tag as tag | table dest, tag ` the tag column is empty.
If I use `|lookup tci indicator as dest OUTPUT tag.name as tag | table dest, tag` I get an splunk error **"Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table."**
I would like to use search command to find custom tag.name but it doesn't work.
Notice that the tag field has values because when I use the command
`|inputlookup tci |search tag.name=Corebot` I get information in that column.
I would like to know if there is possible to use lookup command to retrieve tag.name. I know that I can use a subsearch with the inputlookup command, but I think it is not efficient.
Thanks in advance for your help.
[1]: /storage/temp/275823-splunkticketlookup.png
↧