Hi all,
I am having some issues getting a lookup (or maybe I just can't wrap my head around lookups) to work properly with Db Connect. My indexed data in Splunk has a field called NETWORK which is a numeric value. My database has a table that has the conversions to convert the numeric value to a human readable string (ie 0 = Security). So what I have set up is an advanced database lookup that will do a SQL call along these lines:
SELECT value,CONVERSION FROM REPORTER_CONVERSIONS where COLUMN_NAME='Network'
My Lookup fields are VALUE and CONVERSION (I do have two other columns I don't care about).
So what I am expecting is that I provide my search something along these lines:
sourcetype="nc_alarms" | lookup nc_name VALUE as network output CONVERSION as NETWORKNAME
And I am hoping that in my search output I get the NETWORKNAME as the human readable string. I am getting nothing. Any ideas where I am going wrong?