Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How i need to built dashboard If the fields are not present in the source(logs) but all the fields are present in the lookup table .

moiezuddin
Explorer
‎03-16-2015 06:49 AM

1,Use the lookup table identity_lookup and match it to the sso field to get the jobTitle orgName orgSegment parentOrgname userType

source="/opt/www/logs/BBCcentral/BBCcentral.log"

In first search above logs iam unable to find any field (jobTitle orgName orgSegment parentOrgname userType, sso)
but all the fields are present in the lookup table (identity_lookup)

Kindly help me how to built

Kindly help ASAP.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

btt
Path Finder
‎03-19-2015 02:41 AM

Hi,

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup  sso  as User_ID OUTPUTNEW  jobTitle  orgName  orgSegment  parentOrgname  userType

where sso field is present to your lookup table and User_ID is present to your events log

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

btt
Path Finder
‎03-19-2015 02:41 AM

Hi,

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup  sso  as User_ID OUTPUTNEW  jobTitle  orgName  orgSegment  parentOrgname  userType

where sso field is present to your lookup table and User_ID is present to your events log

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎03-19-2015 03:10 AM

Hi,

i made some changes to your given query now it is showing results.

Thank you for your input..

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎03-18-2015 01:02 AM

Hi moiezuddin
Try this request it will be help you well

source="/opt/www/logs/BBCcentral/BBCcentral.log" | lookup identity_lookup  sso  OUTPUT  jobTitle  orgName  orgSegment parentOrgname  userType | table  jobTitle  orgName  orgSegment  parentOrgname  userType   sso
0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎03-18-2015 11:15 PM

Hi,
its not working
the lookup table present in field definition not in automatic lookups
if i deleted lookup table automatic lookups my query also dosent work.

Can you help me to right query with regex or some other possibulities
Even i am unable to use field extractor because mentioned fields are not present in the logs .
All the required fields are present in the lookup table

Please help on it

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎03-17-2015 11:58 PM

just created this Automatic lookups

source="/opt/www/logs/BBCcentral/BBCcentral.log" sso!="" | table jobTitle orgName orgSegment parentOrgname userType.

Its worked

0 Karma
Reply
Solved! Jump to solution

btt
Path Finder
‎03-17-2015 05:46 AM

Hi, have you try with OUTPUTNEW?
If i have understand your problem, you want to get new fields. or, when you specified OUPUT, is to overwrite existing fields with the output lookupfields .

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎03-17-2015 05:59 AM

can you give one example how to right it with the
source="/opt/www/logs/BBCcentral/BBCcentral.log" and lookup table name (identity_lookup)
Fields are jobTitle orgName orgSegment parentOrgname userType

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...