Hi ,
index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral
| rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]"
| dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_email
| where matched_email!="unmatched"
This is not working ?? any idea ....
But this ,
index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral
| rex "(\[[^\]]*\]){10}\[(?P[^\]]*)\]"
is getting the data ... sso_id ...
but comparing it with a lookup table and events ... I'm not getting the unmatched data. Why is this not working ....????
In your configuration of the lookup identity_lookup
, did you define a default value of "unmatched"?
You might also replace
| where matched_email!="unmatched"
with
| where matched_email="*"
This may work if you didn't set a default value.
Hi,
index =casm_prod source =/opt/siteminder/log/smtracedefault.log sourcetype=smtrace supportcentral | rex "([[^]]]){10}[(?P[^]])]" |dedup sso_id | lookup identity_lookup sso as sso_id OUTPUT sso as matched_sso |where matched_sso!="NonNbcAccount"
it is working good ,
but it is adding the null value also ,
›
10/17/14
10:52:07.108 AM
Example ,
[10/17/2014][07:52:07.108][486480816][][][SupportCentral allow access][NBCU SC_Lib_Allow_Policy][][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][]
host =useclpapl894.nbcuni.ge.com
matched_sso ="NonNbcAccount"
source =/opt/siteminder/log/smtracedefault.log
sourcetype =smtrace
sso_id =
here the 11 the value is [] null value there is no id ... inside .... but it is also showing as " "NonNbcaccount" ... it should not show up ....
Thanks u ....
Do note though, where matched_email="*"
will look for a literal asterisk. Use search matched_email="*"
to say "matched_email contains a value".