Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How i need to built dashboard If the fields are not present in the source(logs) but all the fields are present in the lookup table .

moiezuddin
Explorer
‎03-16-2015 06:49 AM

1,Use the lookup table identity_lookup and match it to the sso field to get the jobTitle orgName orgSegment parentOrgname userType

source="/opt/www/logs/BBCcentral/BBCcentral.log"

In first search above logs iam unable to find any field (jobTitle orgName orgSegment parentOrgname userType, sso)
but all the fields are present in the lookup table (identity_lookup)

Kindly help me how to built

Kindly help ASAP.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

btt
Path Finder
‎03-19-2015 02:41 AM

Hi,

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup  sso  as User_ID OUTPUTNEW  jobTitle  orgName  orgSegment  parentOrgname  userType

where sso field is present to your lookup table and User_ID is present to your events log

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

btt
Path Finder
‎03-19-2015 02:41 AM

Hi,

"your source" | rex "(?P<Email>\w+.\w+@\w+.\w+)" | rex "details (?P<Name>\w+)" | rex "(?<User_ID>\d{9})" | lookup identity_lookup  sso  as User_ID OUTPUTNEW  jobTitle  orgName  orgSegment  parentOrgname  userType

where sso field is present to your lookup table and User_ID is present to your events log

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎03-19-2015 03:10 AM

Hi,

i made some changes to your given query now it is showing results.

Thank you for your input..

0 Karma
Reply
Solved! Jump to solution

chimell
Motivator
‎03-18-2015 01:02 AM

Hi moiezuddin
Try this request it will be help you well

source="/opt/www/logs/BBCcentral/BBCcentral.log" | lookup identity_lookup  sso  OUTPUT  jobTitle  orgName  orgSegment parentOrgname  userType | table  jobTitle  orgName  orgSegment  parentOrgname  userType   sso
0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎03-18-2015 11:15 PM

Hi,
its not working
the lookup table present in field definition not in automatic lookups
if i deleted lookup table automatic lookups my query also dosent work.

Can you help me to right query with regex or some other possibulities
Even i am unable to use field extractor because mentioned fields are not present in the logs .
All the required fields are present in the lookup table

Please help on it

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎03-17-2015 11:58 PM

just created this Automatic lookups

source="/opt/www/logs/BBCcentral/BBCcentral.log" sso!="" | table jobTitle orgName orgSegment parentOrgname userType.

Its worked

0 Karma
Reply
Solved! Jump to solution

btt
Path Finder
‎03-17-2015 05:46 AM

Hi, have you try with OUTPUTNEW?
If i have understand your problem, you want to get new fields. or, when you specified OUPUT, is to overwrite existing fields with the output lookupfields .

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎03-17-2015 05:59 AM

can you give one example how to right it with the
source="/opt/www/logs/BBCcentral/BBCcentral.log" and lookup table name (identity_lookup)
Fields are jobTitle orgName orgSegment parentOrgname userType

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...