Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create a lookup table for fields coming from Azure Monitoring Data Add-On?

donaldwayne1975
Path Finder
‎09-21-2018 10:07 AM

We're using the Azure Monitoring Data Add-on to integrate Splunk and Azure. The Azure events have the subscription ID value (fields name is am_subscriptionId) in each of the events. I would like to be able to put a name/email address to the subscription. I have a lookup table configured which has the fields subscriptionID, subscriptionName, and subscriptionContact. I have attempted to use lookups to no avail. Below is my search. I would like to have a table result with the am_subscriptionId, subscriptionName, and subscriptionContact displayed. 

index=* sourcetype=amal:security 
| lookup azure_subscription_id_to_support_group subscriptionID AS am_subscriptionId OUTPUT subscriptionName
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎10-12-2018 11:50 AM

This issue may have to do with case sensitivity on lookups. By default, lookups are case sensitive, but you can change this by modifying transforms.conf like so:

[azure_subscription_id_to_support_group]
case_sensitive_match = 0
filename = azure_subscription_id_to_support_group.csv

Or, you can do this in the UI too by going to Settings -> Lookups -> Lookup definitions -> azure_subscription_id_to_support_group -> Advanced options -> uncheck Case sensitive match

alt text

Everything else looks good.

View solution in original post

Reply
Solved! Jump to solution
Solution

jconger
Splunk Employee
Splunk Employee
‎10-12-2018 11:50 AM

This issue may have to do with case sensitivity on lookups. By default, lookups are case sensitive, but you can change this by modifying transforms.conf like so:

[azure_subscription_id_to_support_group]
case_sensitive_match = 0
filename = azure_subscription_id_to_support_group.csv

Or, you can do this in the UI too by going to Settings -> Lookups -> Lookup definitions -> azure_subscription_id_to_support_group -> Advanced options -> uncheck Case sensitive match

alt text

Everything else looks good.

Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top