Let's take a look at the problem query and discuss
We often get questions about specific queries and although they may be slightly different than yours, you may run into a similar issue and find this information helpful.
The below query is throwing a "lookup (module idx 2) error: Column as not found" error:
tag=syslog-sd* syslog Timestamp Message | json -e Message -s l7Proto srcIp name | lookup -r pdassets verifiedhost as Hostname | count by l7Proto srcIp name | eval l7Proto!="" | eval srcIp!="" | table srcIp l7Proto name count
The lookup module can be a little tough to get used to. Besides the resource specification (-r pdassets) it needs three arguments. The first specifies an *enumerated value* from earlier in the pipeline. The second specifies a column name in the resource; lookup will search through that column until it finds an entry *which matches the value of the first argument*. The third argument is another column name; having found a match, lookup will extract the contents of this column into a new enumerated value.
Looking at your query, it looks like you want to look up hostnames based on the srcIp IP address. Try tweaking the query to something like:
lookup -r pdassets srcIP verifiedip verifiedhost as Hostname
That will try to match srcIP against the verifiedip column, then when it finds a match it'll extract the corresponding value from the verifiedhost column and set it as "Hostname".
If you have a problem query that is leaving you scratching your head please reach out to support@gravwell.io and we'll help you get it sorted out!
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article