Splunk Search
Highlighted

How to extract a field with rex and compare it against a lookup to find unmatched events?

New Member

Hi ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral 
| rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]"   
| dedup sso_id | lookup identity_lookup sso as sso_id  OUTPUT sso as matched_email  
| where matched_email!="unmatched"

This is not working ?? any idea ....

But this ,

index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral 
| rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]"    

is getting the data ... sso_id ...

but comparing it with a lookup table and events ... I'm not getting the unmatched data. Why is this not working ....????

Tags (3)
0 Karma
Highlighted

Re: How to extract a field with rex and compare it against a lookup to find unmatched events?

Legend

In your configuration of the lookup identity_lookup, did you define a default value of "unmatched"?

You might also replace

| where matched_email!="unmatched"

with

| where matched_email="*"

This may work if you didn't set a default value.

0 Karma
Highlighted

Re: How to extract a field with rex and compare it against a lookup to find unmatched events?

SplunkTrust
SplunkTrust

Do note though, where matched_email="*" will look for a literal asterisk. Use search matched_email="*" to say "matched_email contains a value".

Highlighted

Re: How to extract a field with rex and compare it against a lookup to find unmatched events?

New Member

Hi,

index =casmprod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup ssoid | lookup identitylookup sso as ssoid OUTPUT sso as matchedsso |where matchedsso!="NonNbcAccount"

it is working good ,

but it is adding the null value also ,

10/17/14
10:52:07.108 AM

Example ,

[10/17/2014][07:52:07.108][486480816][][][SupportCentral allow access][NBCU SCLibAllowPolicy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]
host =useclpapl894.nbcuni.ge.com
matched
sso ="NonNbcAccount"
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =

here the 11 the value is [] null value there is no id ... inside .... but it is also showing as " "NonNbcaccount" ... it should not show up ....

Thanks u ....

0 Karma