I have a question, in microservice based platform where are getting several logs for the different application. Each application tracks unique transactions via a id, either a CorrelationId, SessionId, transactionid I want to be able to put this is a lookup application.csv file and use it for same dashboard so my lookup will look like Application SourceLogs Unique_Identifier App1 Application1.logs CorrelationId App2 Application2.logs SessionId App3 Application3.logs TransactionId I have created a input where the user can select the Application via tkn_app index=application_logs | lookup application.csv SourceLogs as source | search Application=$tkn_app$ | bin span=5m _time | stats dc(Unique_Identifier) AS TPS by _time however this searches for Correlationid , SessionId and TransactionId and not the actual values, how to I make it so Unique_Identfier searches for the right metadata Note the logs are in json format, so the fields Correlationid , SessionId and TransactionId are autodetected by Splunk
... View more