cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Lookup value from entity with the parsed value from logs

zip-chanko
Participant

I have the content with json in logs which has a key `client_ip` and trying to get the pod name which has `internalIpAddresses` from `dt.entity.cloud_application_instance`. So trying to lookup the IP I got from the logs `client_ip` with `internalIpAddresses` and get the pod name (entity.name). But `lookup` always returns `null` values. Please help advise. TIA.

 

I tried these queries.

 

 

 

fetch dt.entity.cloud_application_instance | fieldsAdd internalIpAddresses

 

 

 

busybox_1CLOUD_APPLICATION_INSTANCE-30A007499C4655B1192.168.2.3
busybox_2CLOUD_APPLICATION_INSTANCE-8CBE6E71FB1BABC6192.168.2.4

 

 

 

 

fetch logs
| filter matchesValue(aws.log_group, "/aws/logs/alb")
| parse content , "JSON:record"
| fieldsAdd record[client_ip], alias:client_ip
| fieldsAdd record[domain_name], alias:domain_name
| fieldsAdd record[elb_status_code], alias:elb_status_code
| filter client_ip != ""
| fields timestamp, client_ip, domain_name, elb_status_code
| lookup sourceField:client_ip, lookupField:internalIpAddresses, [fetch dt.entity.cloud_application_instance], fields:{entity.name}

 

 

 

2024-08-09T20:50:01.581000000+10:00192.168.2.3example.com200null
2024-08-09T20:50:02.309000000+10:00192.168.2.3example.com200null
2024-08-09T20:50:02.368000000+10:00192.168.2.4example.com200null

 

Sample content

 

{
  "client_ip": "192.168.2.3",
  "target_port": 443,
  "elb_status_code": "200",
  "target_status_code": "200",
  "request_verb": "POST",
  "domain_name": "example.com"
}

 

0 REPLIES 0

Featured Posts