Dashboards & Visualizations

How i need to built dashboard If the fields are not present in the source(logs) but all the fields are present in the lookup table .

moiezuddin
Explorer

1,Use the lookup table identity_lookup and match it to the sso field to get the jobTitle orgName orgSegment parentOrgname userType

source="/opt/www/logs/BBCcentral/BBCcentral.log"

In first search above logs iam unable to find any field (jobTitle orgName orgSegment parentOrgname userType, sso)
but all the fields are present in the lookup table (identity_lookup)

Kindly help me how to built

Kindly help ASAP.

Tags (1)
0 Karma
1 Solution

btt
Path Finder

Hi,

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup  sso  as User_ID OUTPUTNEW  jobTitle  orgName  orgSegment  parentOrgname  userType

where sso field is present to your lookup table and User_ID is present to your events log

View solution in original post

0 Karma

btt
Path Finder

Hi,

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup  sso  as User_ID OUTPUTNEW  jobTitle  orgName  orgSegment  parentOrgname  userType

where sso field is present to your lookup table and User_ID is present to your events log

0 Karma

moiezuddin
Explorer

Hi,

i made some changes to your given query now it is showing results.

Thank you for your input..

0 Karma

chimell
Motivator

Hi moiezuddin
Try this request it will be help you well

source="/opt/www/logs/BBCcentral/BBCcentral.log" | lookup identity_lookup  sso  OUTPUT  jobTitle  orgName  orgSegment parentOrgname  userType | table  jobTitle  orgName  orgSegment  parentOrgname  userType   sso
0 Karma

moiezuddin
Explorer

Hi,
its not working
the lookup table present in field definition not in automatic lookups
if i deleted lookup table automatic lookups my query also dosent work.

Can you help me to right query with regex or some other possibulities
Even i am unable to use field extractor because mentioned fields are not present in the logs .
All the required fields are present in the lookup table

Please help on it

0 Karma

moiezuddin
Explorer

just created this Automatic lookups

source="/opt/www/logs/BBCcentral/BBCcentral.log" sso!="" | table jobTitle orgName orgSegment parentOrgname userType.

Its worked

0 Karma

btt
Path Finder

Hi, have you try with OUTPUTNEW?
If i have understand your problem, you want to get new fields. or, when you specified OUPUT, is to overwrite existing fields with the output lookupfields .

0 Karma

moiezuddin
Explorer

can you give one example how to right it with the
source="/opt/www/logs/BBCcentral/BBCcentral.log" and lookup table name (identity_lookup)
Fields are jobTitle orgName orgSegment parentOrgname userType

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...