@alfredoh14, Here's some SPL that gives you a table with the app name, short name, and SQL: | makeresults count=3
| streamstats count as id
| eval sql=case(id=1,"'' as \"FIELD\",''Missing Value'...
See more...
@alfredoh14, Here's some SPL that gives you a table with the app name, short name, and SQL: | makeresults count=3
| streamstats count as id
| eval sql=case(id=1,"'' as \"FIELD\",''Missing Value'' AS \"ERROR\" from scbt_owner.SCBT_LOAD_CLOB_DATA_WORK",
id=2,"'' as \"something \",''Missing Value'' AS \"ERROR\" from ART_owner.ART_LOAD_CLOB_DATA_WORK",
id=3, "from Building_Mailer_owner.Building_Mailer_")
| fields sql
``` The above was just to create the source data ```
| rex field="sql" "from\s+(?<lk_wlc_app_short>.+?)_owner"
| lookup lookup_weblogic_app lk_wlc_app_short
| table lk_wlc_app_short, lk_wlc_app_name, sql The regular expression pulls out the table name in the SQL, eg "from XXXX_owner", and uses the short code to match the app name from the lookup. To make the lookup work, you will need to ensure that the matches are NOT case sensitive, or make sure your lookup fields match what is in the SQL.