https://community.dynatrace.com/t5/DQL/Lookup-value-from-entity-with-the-parsed-value-from-logs/m-p/253097#M1119 <P>I have the content with json in logs which has a key <FONT face="andale mono,times">client_ip</FONT> and trying to get the pod name which has <FONT face="andale mono,times">internalIpAddresses</FONT> from <FONT face="andale mono,times">dt.entity.cloud_application_instance</FONT>. So trying to lookup the IP I got from the logs <FONT face="andale mono,times">client_ip</FONT> with <FONT face="andale mono,times">internalIpAddresses</FONT> and get the pod name (<FONT face="andale mono,times">entity.name</FONT>). But <FONT face="andale mono,times">lookup</FONT> always returns <FONT face="andale mono,times">null</FONT> values. Please help advise. TIA.</P><PRE>fetch logs<BR />| filter matchesValue(aws.log_group, "/aws/logs/alb")<BR />| parse content , "JSON:record"<BR />| fieldsAdd record[client_ip], alias:client_ip<BR />| fieldsAdd record[domain_name], alias:domain_name<BR />| fieldsAdd record[elb_status_code], alias:elb_status_code<BR />| filter client_ip != ""<BR />| fields timestamp, client_ip, domain_name, elb_status_code<BR />| lookup sourceField:client_ip, lookupField:internalIpAddresses, [fetch dt.entity.cloud_application_instance], fields:{entity.name}</PRE><P>Sample log content.</P><PRE>{ "client_ip": "192.168.2.3", "target_port": 443, "elb_status_code": "200", "target_status_code": "200", "request_verb": "POST", "domain_name": "example.com" }</PRE><P>&nbsp;</P> Fri, 09 Aug 2024 22:57:43 GMT zip-chanko 2024-08-09T22:57:43Z https://community.dynatrace.com/t5/DQL/Lookup-value-from-entity-with-the-parsed-value-from-logs/m-p/253097#M1119 <P>I have the content with json in logs which has a key <FONT face="andale mono,times">client_ip</FONT> and trying to get the pod name which has <FONT face="andale mono,times">internalIpAddresses</FONT> from <FONT face="andale mono,times">dt.entity.cloud_application_instance</FONT>. So trying to lookup the IP I got from the logs <FONT face="andale mono,times">client_ip</FONT> with <FONT face="andale mono,times">internalIpAddresses</FONT> and get the pod name (<FONT face="andale mono,times">entity.name</FONT>). But <FONT face="andale mono,times">lookup</FONT> always returns <FONT face="andale mono,times">null</FONT> values. Please help advise. TIA.</P><PRE>fetch logs<BR />| filter matchesValue(aws.log_group, "/aws/logs/alb")<BR />| parse content , "JSON:record"<BR />| fieldsAdd record[client_ip], alias:client_ip<BR />| fieldsAdd record[domain_name], alias:domain_name<BR />| fieldsAdd record[elb_status_code], alias:elb_status_code<BR />| filter client_ip != ""<BR />| fields timestamp, client_ip, domain_name, elb_status_code<BR />| lookup sourceField:client_ip, lookupField:internalIpAddresses, [fetch dt.entity.cloud_application_instance], fields:{entity.name}</PRE><P>Sample log content.</P><PRE>{ "client_ip": "192.168.2.3", "target_port": 443, "elb_status_code": "200", "target_status_code": "200", "request_verb": "POST", "domain_name": "example.com" }</PRE><P>&nbsp;</P> Fri, 09 Aug 2024 22:57:43 GMT https://community.dynatrace.com/t5/DQL/Lookup-value-from-entity-with-the-parsed-value-from-logs/m-p/253097#M1119 zip-chanko 2024-08-09T22:57:43Z https://community.dynatrace.com/t5/DQL/Lookup-value-from-entity-with-the-parsed-value-from-logs/m-p/253100#M1120 <P>This is resolved after I changed the lookup query where the <FONT face="andale mono,times">internalIpAddresses</FONT> is array and need to convert into string something like <FONT face="andale mono,times">internalIpAddresses[0]</FONT>. Thanks&nbsp;<SPAN>Angel Mariya Paul from support team.</SPAN></P><P>&nbsp;</P> Sat, 10 Aug 2024 09:36:16 GMT https://community.dynatrace.com/t5/DQL/Lookup-value-from-entity-with-the-parsed-value-from-logs/m-p/253100#M1120 zip-chanko 2024-08-10T09:36:16Z