Splunk Search

Can you help me create a lookup table for fields coming from Azure Monitoring Data Add-On?

donaldwayne1975
Path Finder

We're using the Azure Monitoring Data Add-on to integrate Splunk and Azure. The Azure events have the subscription ID value (fields name is am_subscriptionId) in each of the events. I would like to be able to put a name/email address to the subscription. I have a lookup table configured which has the fields subscriptionID, subscriptionName, and subscriptionContact. I have attempted to use lookups to no avail. Below is my search. I would like to have a table result with the am_subscriptionId, subscriptionName, and subscriptionContact displayed.

index=* sourcetype=amal:security 
| lookup azure_subscription_id_to_support_group subscriptionID AS am_subscriptionId OUTPUT subscriptionName
0 Karma
1 Solution

jconger
Splunk Employee
Splunk Employee

This issue may have to do with case sensitivity on lookups. By default, lookups are case sensitive, but you can change this by modifying transforms.conf like so:

[azure_subscription_id_to_support_group]
case_sensitive_match = 0
filename = azure_subscription_id_to_support_group.csv

Or, you can do this in the UI too by going to Settings -> Lookups -> Lookup definitions -> azure_subscription_id_to_support_group -> Advanced options -> uncheck Case sensitive match

alt text

Everything else looks good.

View solution in original post

jconger
Splunk Employee
Splunk Employee

This issue may have to do with case sensitivity on lookups. By default, lookups are case sensitive, but you can change this by modifying transforms.conf like so:

[azure_subscription_id_to_support_group]
case_sensitive_match = 0
filename = azure_subscription_id_to_support_group.csv

Or, you can do this in the UI too by going to Settings -> Lookups -> Lookup definitions -> azure_subscription_id_to_support_group -> Advanced options -> uncheck Case sensitive match

alt text

Everything else looks good.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...