https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165616#M47059 <P>Hi , </P> <PRE><CODE>index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]" | dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_email | where matched_email!="unmatched" </CODE></PRE> <P>This is not working ?? any idea .... </P> <P>But this ,</P> <PRE><CODE>index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]" </CODE></PRE> <P>is getting the data ... sso_id ...</P> <P>but comparing it with a lookup table and events ... I'm not getting the unmatched data. Why is this not working ....????</P> Thu, 16 Oct 2014 17:56:16 GMT siraj198204 2014-10-16T17:56:16Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165616#M47059 <P>Hi , </P> <PRE><CODE>index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]" | dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_email | where matched_email!="unmatched" </CODE></PRE> <P>This is not working ?? any idea .... </P> <P>But this ,</P> <PRE><CODE>index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]" </CODE></PRE> <P>is getting the data ... sso_id ...</P> <P>but comparing it with a lookup table and events ... I'm not getting the unmatched data. Why is this not working ....????</P> Thu, 16 Oct 2014 17:56:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165616#M47059 siraj198204 2014-10-16T17:56:16Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165617#M47060 <P>In your configuration of the lookup <CODE>identity_lookup</CODE>, did you define a default value of "unmatched"?</P> <P>You might also replace</P> <PRE><CODE>| where matched_email!="unmatched" </CODE></PRE> <P>with</P> <PRE><CODE>| where matched_email="*" </CODE></PRE> <P>This may work if you didn't set a default value.</P> Thu, 16 Oct 2014 20:28:25 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165617#M47060 lguinn2 2014-10-16T20:28:25Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165618#M47061 <P>Do note though, <CODE>where matched_email="*"</CODE> will look for a literal asterisk. Use <CODE>search matched_email="*"</CODE> to say "matched_email contains a value".</P> Thu, 16 Oct 2014 20:42:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165618#M47061 martin_mueller 2014-10-16T20:42:38Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165619#M47062 <P>Hi,</P> <P>index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_sso |where matched_sso!="NonNbcAccount"</P> <P>it is working good ,</P> <P>but it is adding the null value also ,</P> <P>›</P> <P>10/17/14<BR /> 10:52:07.108 AM</P> <P>Example ,</P> <P>[10/17/2014][07:52:07.108][486480816][][][SupportCentral allow access][NBCU SC_Lib_Allow_Policy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]<BR /> host =useclpapl894.nbcuni.ge.com<BR /> matched_sso ="NonNbcAccount"<BR /> source =/opt/siteminder/log/smtracedefault.log<BR /> sourcetype =smtrace<BR /> sso_id =</P> <P>here the 11 the value is [] null value there is no id ... inside .... but it is also showing as " "NonNbcaccount" ... it should not show up ....</P> <P>Thanks u ....</P> Mon, 28 Sep 2020 17:54:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-with-rex-and-compare-it-against-a-lookup/m-p/165619#M47062 siraj198204 2020-09-28T17:54:24Z