09 Aug 2024 11:57 PM
I have the content with json in logs which has a key client_ip and trying to get the pod name which has internalIpAddresses from dt.entity.cloud_application_instance. So trying to lookup the IP I got from the logs client_ip with internalIpAddresses and get the pod name (entity.name). But lookup always returns null values. Please help advise. TIA.
fetch logs
| filter matchesValue(aws.log_group, "/aws/logs/alb")
| parse content , "JSON:record"
| fieldsAdd record[client_ip], alias:client_ip
| fieldsAdd record[domain_name], alias:domain_name
| fieldsAdd record[elb_status_code], alias:elb_status_code
| filter client_ip != ""
| fields timestamp, client_ip, domain_name, elb_status_code
| lookup sourceField:client_ip, lookupField:internalIpAddresses, [fetch dt.entity.cloud_application_instance], fields:{entity.name}
Sample log content.
{ "client_ip": "192.168.2.3", "target_port": 443, "elb_status_code": "200", "target_status_code": "200", "request_verb": "POST", "domain_name": "example.com" }
Solved! Go to Solution.
10 Aug 2024 10:36 AM
This is resolved after I changed the lookup query where the internalIpAddresses is array and need to convert into string something like internalIpAddresses[0]. Thanks Angel Mariya Paul from support team.