Archive

How i need to built dashboard If the fields are not present in the source(logs) but all the fields are present in the lookup table .

Explorer

1,Use the lookup table identity_lookup and match it to the sso field to get the jobTitle orgName orgSegment parentOrgname userType

source="/opt/www/logs/BBCcentral/BBCcentral.log"

In first search above logs iam unable to find any field (jobTitle orgName orgSegment parentOrgname userType, sso)
but all the fields are present in the lookup table (identity_lookup)

Kindly help me how to built

Kindly help ASAP.

Tags (1)
0 Karma
1 Solution

Path Finder

Hi,

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup  sso  as User_ID OUTPUTNEW  jobTitle  orgName  orgSegment  parentOrgname  userType

where sso field is present to your lookup table and User_ID is present to your events log

View solution in original post

0 Karma

Path Finder

Hi,

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup  sso  as User_ID OUTPUTNEW  jobTitle  orgName  orgSegment  parentOrgname  userType

where sso field is present to your lookup table and User_ID is present to your events log

View solution in original post

0 Karma

Explorer

Hi,

i made some changes to your given query now it is showing results.

Thank you for your input..

0 Karma

Motivator

Hi moiezuddin
Try this request it will be help you well

source="/opt/www/logs/BBCcentral/BBCcentral.log" | lookup identity_lookup  sso  OUTPUT  jobTitle  orgName  orgSegment parentOrgname  userType | table  jobTitle  orgName  orgSegment  parentOrgname  userType   sso
0 Karma

Explorer

Hi,
its not working
the lookup table present in field definition not in automatic lookups
if i deleted lookup table automatic lookups my query also dosent work.

Can you help me to right query with regex or some other possibulities
Even i am unable to use field extractor because mentioned fields are not present in the logs .
All the required fields are present in the lookup table

Please help on it

0 Karma

Explorer

just created this Automatic lookups

source="/opt/www/logs/BBCcentral/BBCcentral.log" sso!="" | table jobTitle orgName orgSegment parentOrgname userType.

Its worked

0 Karma

Path Finder

Hi, have you try with OUTPUTNEW?
If i have understand your problem, you want to get new fields. or, when you specified OUPUT, is to overwrite existing fields with the output lookupfields .

0 Karma

Explorer

can you give one example how to right it with the
source="/opt/www/logs/BBCcentral/BBCcentral.log" and lookup table name (identity_lookup)
Fields are jobTitle orgName orgSegment parentOrgname userType

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!