Solved: lookup setup for regex extracted value

sumitnagal · ‎09-04-2011

I have a extracted value from log, puserid. now I have map that Id to a user in lookup table. now when I am applying the lookup table I am not getting any results. even after configuring lookup table correctly

Example :

 "some search string" | rex field=_raw " (?<uri>[^ ]*) (?<primary>[A-Za-z]*) (?<puserid>[^ ]*) (?<puri>[^ ]*) " | stats count by puserid

Lookup Mapping, after defining table and definition and automatic setup:

 puserid,plogin
 1234,test

After lookup setup:

 "some search string" | rex field=_raw " (?<uri>[^ ]*) (?<primary>[A-Za-z]*) (?<puserid>[^ ]*) (?<puri>[^ ]*) " | stats count by plogin

araitz · ‎09-04-2011

Keep in mind that lookups are automatically applied at the first pipe in the search string.

Therefore, you can either make the field extraction persistent using props.conf and transforms.conf or force the lookup to run after your rex command.

Assuming you have defined your lookup as foo_lookup:

"some search string" | rex field=_raw " (?<uri>[^ ]*) (?<primary>[A-Za-z]*) (?<puserid>[^ ]*) (?<puri>[^ ]*) " | lookup foo_lookup puserid OUTPUTNEW | stats count by plogin

View solution in original post

araitz · ‎09-04-2011

Keep in mind that lookups are automatically applied at the first pipe in the search string.

Therefore, you can either make the field extraction persistent using props.conf and transforms.conf or force the lookup to run after your rex command.

Assuming you have defined your lookup as foo_lookup:

"some search string" | rex field=_raw " (?<uri>[^ ]*) (?<primary>[A-Za-z]*) (?<puserid>[^ ]*) (?<puri>[^ ]*) " | lookup foo_lookup puserid OUTPUTNEW | stats count by plogin

lookup setup for regex extracted value

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes