Splunk Search

How to extract a field with rex and compare it against a lookup to find unmatched events?

siraj198204
New Member

Hi ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral 
| rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]"   
| dedup sso_id | lookup identity_lookup sso as sso_id  OUTPUT sso as matched_email  
| where matched_email!="unmatched"

This is not working ?? any idea ....

But this ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral 
| rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]"    

is getting the data ... sso_id ...

but comparing it with a lookup table and events ... I'm not getting the unmatched data. Why is this not working ....????

Tags (3)
0 Karma

lguinn2
Legend

In your configuration of the lookup identity_lookup, did you define a default value of "unmatched"?

You might also replace

| where matched_email!="unmatched"

with

| where matched_email="*"

This may work if you didn't set a default value.

0 Karma

siraj198204
New Member

Hi,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_sso |where matched_sso!="NonNbcAccount"

it is working good ,

but it is adding the null value also ,

10/17/14
10:52:07.108 AM

Example ,

[10/17/2014][07:52:07.108][486480816][][][SupportCentral allow access][NBCU SC_Lib_Allow_Policy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]
host =useclpapl894.nbcuni.ge.com
matched_sso ="NonNbcAccount"
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =

here the 11 the value is [] null value there is no id ... inside .... but it is also showing as " "NonNbcaccount" ... it should not show up ....

Thanks u ....

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Do note though, where matched_email="*" will look for a literal asterisk. Use search matched_email="*" to say "matched_email contains a value".

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!