I am trying to use the lookups included in the Splunk App for Windows Infrastructure, and I am having odd results:
|inputlookup tSessions|search session_id="0x59f23e232"
returns one record as expected.
eval session_id="0x59f23e232"|lookup tSessions session_id OUTPUTNEW login_username,login_domain,login_host
Returns zero results. The lookup I took right out of a dashboard for User Change Audit, which is meant to lookup the host and user who made a change, however it does not appear to work.
↧