cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Lookup value from entity with the parsed value from logs

zip-chanko
Participant

I have the content with json in logs which has a key client_ip and trying to get the pod name which has internalIpAddresses from dt.entity.cloud_application_instance. So trying to lookup the IP I got from the logs client_ip with internalIpAddresses and get the pod name (entity.name). But lookup always returns null values. Please help advise. TIA.

fetch logs
| filter matchesValue(aws.log_group, "/aws/logs/alb")
| parse content , "JSON:record"
| fieldsAdd record[client_ip], alias:client_ip
| fieldsAdd record[domain_name], alias:domain_name
| fieldsAdd record[elb_status_code], alias:elb_status_code
| filter client_ip != ""
| fields timestamp, client_ip, domain_name, elb_status_code
| lookup sourceField:client_ip, lookupField:internalIpAddresses, [fetch dt.entity.cloud_application_instance], fields:{entity.name}

Sample log content.

{ "client_ip": "192.168.2.3", "target_port": 443, "elb_status_code": "200", "target_status_code": "200", "request_verb": "POST", "domain_name": "example.com" }

 

1 REPLY 1

zip-chanko
Participant

This is resolved after I changed the lookup query where the internalIpAddresses is array and need to convert into string something like internalIpAddresses[0]. Thanks Angel Mariya Paul from support team.

 

Featured Posts