topic Re: Dynamic parsing ? in Splunk Dev

How to dynamically parse a field?

CaptainPiPoTron — Mon, 07 Sep 2020 17:39:33 GMT

Hello, 😊

i'm new on splunk and i want to know the best way to accomplish the following task

IINFORMATION INPUT :

i have DATA in xml format
in the event the value of ID can be between 1 and 500
in the event there is at least 15 ProductX (it's can be ProductA, ProductB, ProductC, ... ,ProductZ)
ProductX can be use for 300 differents ID

<EventData> <Data Name="ID">5</Data> <Data Name="ProductA">Screw 16</Data> <Data Name="ProductB">Screw 11 </Data> <Data Name="ProductC">Screw G</Data> <Data Name="ProductD">Screw 9</Data> ... ... </EventData>

GOAL :
i want dynamically parse a field called "Result" which depends of the ID which is in the event

EXAMPLE :
if ID = 5 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 6 i want that my field "Result" is egal to the value of productD. (Result = Screw9)
if ID = 240 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 499 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
and so on..

i try to do the parsing with prop.conf file and trabsforms.conf with INGEST_EVAL and IF and OR but no joy..

any solutions / advices for saving performances / best way to do this please?

Thx !! 😘

Re: Dynamic parsing ?

anilchaithu — Sat, 05 Sep 2020 22:58:10 GMT

@CaptainPiPoTron

Do you want the Result field as an indexed field?

The better solution would be to create a auto lookup with fields ID & Result. Please note, this will be extracted/added at search time

Steps:

Create a csv file with ID & result fields
add csv file to splunk as lookup table
create definition and auto-lookup for the above lookup.

Hope this helps.

Re: Dynamic parsing ?

CaptainPiPoTron — Sat, 05 Sep 2020 23:17:54 GMT

@anilchaithu

thanks for your answer ! 😀 but i think i can't do an auto lookup with FIELDS ID & RESULT (if i understand correctly the lookup table)

because i don't know the value of productA before i got it in the event ..and it can be anything example : productA could be screw 50 or hammer 60 etc...

and yes i want the Result field as an indexed field 🤗

Re: Dynamic parsing ?

ITWhisperer — Sun, 06 Sep 2020 10:24:50 GMT

What is the relationship between the ID and the result you want?

Re: Dynamic parsing ?

CaptainPiPoTron — Sun, 06 Sep 2020 11:54:46 GMT

@ITWhisperer

"result" it's just the name of the field which contains the value of productA or ProductB or ProductX according to the number ID

Re: Dynamic parsing ?

ITWhisperer — Sun, 06 Sep 2020 12:08:21 GMT

Hi @CaptainPiPoTron

Your example data appears to be for one event (attribute name"ID", value 5)

There are many "Data" elements with attributes name ProductX (presumably for each "event")

Does your required "result" field contain all the Product values (as a multivalue field) or a specific value "depending on event id"?

ID	Result
5	Screw 16 Screw 11 Screw G Screw 9
6	Hammer 60 Nail 20
240	Screw 11

Re: Dynamic parsing ?

CaptainPiPoTron — Sun, 06 Sep 2020 12:19:08 GMT

hey @ITWhisperer

"result" field must contain a specific value "depending on event id"

like in example

if ID = 5 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 6 i want that my field "Result" is egal to the value of productD. (Result = Screw9)
if ID = 240 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 499 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
and so on..

thanks 😉

Re: Dynamic parsing ?

ITWhisperer — Sun, 06 Sep 2020 12:25:17 GMT

@CaptainPiPoTron You haven't explained how splunk can be told which product to use for each event. Do you want to code if event 5 result = Screw 11, if event 6 result = Screw9, etc.? Probably not, so what does "depending on event id" actually mean, how does splunk know which product to return?

Re: Dynamic parsing ?

CaptainPiPoTron — Sun, 06 Sep 2020 12:32:48 GMT

@ITWhisperer

it's why i post here 😉 i don't know how to do it ..

Re: Dynamic parsing ?

ITWhisperer — Sun, 06 Sep 2020 12:39:40 GMT

Have a look at this old answer which might help you extract some fields, which you can then work with to determine which value you want to make the result since you haven't made that clear (except in a few specific examples).