09 Aug 2024 12:32 PM - edited 09 Aug 2024 12:33 PM
I have the content with json in logs which has a key `client_ip` and trying to get the pod name which has `internalIpAddresses` from `dt.entity.cloud_application_instance`. So trying to lookup the IP I got from the logs `client_ip` with `internalIpAddresses` and get the pod name (entity.name). But `lookup` always returns `null` values. Please help advise. TIA.
I tried these queries.
fetch dt.entity.cloud_application_instance | fieldsAdd internalIpAddresses
busybox_1 | CLOUD_APPLICATION_INSTANCE-30A007499C4655B1 | 192.168.2.3 |
busybox_2 | CLOUD_APPLICATION_INSTANCE-8CBE6E71FB1BABC6 | 192.168.2.4 |
fetch logs
| filter matchesValue(aws.log_group, "/aws/logs/alb")
| parse content , "JSON:record"
| fieldsAdd record[client_ip], alias:client_ip
| fieldsAdd record[domain_name], alias:domain_name
| fieldsAdd record[elb_status_code], alias:elb_status_code
| filter client_ip != ""
| fields timestamp, client_ip, domain_name, elb_status_code
| lookup sourceField:client_ip, lookupField:internalIpAddresses, [fetch dt.entity.cloud_application_instance], fields:{entity.name}
2024-08-09T20:50:01.581000000+10:00 | 192.168.2.3 | example.com | 200 | null |
2024-08-09T20:50:02.309000000+10:00 | 192.168.2.3 | example.com | 200 | null |
2024-08-09T20:50:02.368000000+10:00 | 192.168.2.4 | example.com | 200 | null |
Sample content
{
"client_ip": "192.168.2.3",
"target_port": 443,
"elb_status_code": "200",
"target_status_code": "200",
"request_verb": "POST",
"domain_name": "example.com"
}