1,Use the lookup table identity_lookup and match it to the sso field to get the jobTitle orgName orgSegment parentOrgname userType
source="/opt/www/logs/BBCcentral/BBCcentral.log"
In first search above logs iam unable to find any field (jobTitle orgName orgSegment parentOrgname userType, sso)
but all the fields are present in the lookup table (identity_lookup)
Kindly help me how to built
Kindly help ASAP.
Hi,
"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup sso as User_ID OUTPUTNEW jobTitle orgName orgSegment parentOrgname userType
where sso field is present to your lookup table and User_ID is present to your events log
Hi,
"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup sso as User_ID OUTPUTNEW jobTitle orgName orgSegment parentOrgname userType
where sso field is present to your lookup table and User_ID is present to your events log
Hi,
i made some changes to your given query now it is showing results.
Thank you for your input..
Hi moiezuddin
Try this request it will be help you well
source="/opt/www/logs/BBCcentral/BBCcentral.log" | lookup identity_lookup sso OUTPUT jobTitle orgName orgSegment parentOrgname userType | table jobTitle orgName orgSegment parentOrgname userType sso
Hi,
its not working
the lookup table present in field definition not in automatic lookups
if i deleted lookup table automatic lookups my query also dosent work.
Can you help me to right query with regex or some other possibulities
Even i am unable to use field extractor because mentioned fields are not present in the logs .
All the required fields are present in the lookup table
Please help on it
just created this Automatic lookups
source="/opt/www/logs/BBCcentral/BBCcentral.log" sso!="" | table jobTitle orgName orgSegment parentOrgname userType.
Its worked
Hi, have you try with OUTPUTNEW?
If i have understand your problem, you want to get new fields. or, when you specified OUPUT, is to overwrite existing fields with the output lookupfields .
can you give one example how to right it with the
source="/opt/www/logs/BBCcentral/BBCcentral.log" and lookup table name (identity_lookup)
Fields are jobTitle orgName orgSegment parentOrgname userType