topic Re: Replacing strings in lookup result via transform in Getting Data In

Replacing strings in lookup result via transform

afx — Tue, 18 Jun 2019 08:41:10 GMT

Hi,
I am trying to make a parameterized log more readable.
Assuming a log that has the entries
20,hugo,10.1.1.1
which are the fields
msgid,user,src

I might have a log entry that has a msgid of 20 which then is resolved via a CSV lookup to a readable message which is available as a field:
message="User &A has logged in from &B"

I have that step working already, but I am a bit lost on how to proceed to the next one:

In a second step I want that message to be filled in by the two fields that have been extracted from the log (Say A=hugo and B=10.1.1.1) so that the result is available as a field
fullmessage="User hugo has logged in from 10.1.1.1"

All of this in props.conf/transforms.conf so that fullmessage is available for reports later on.

thx
afx

Re: Replacing strings in lookup result via transform

harshpatel — Tue, 18 Jun 2019 10:06:32 GMT

Hi @afx is the string "User hugo has logged in from 10.1.1.1" except hugo and 10.1.1.1 static?

Re: Replacing strings in lookup result via transform

afx — Tue, 18 Jun 2019 10:55:08 GMT

That string is static yes, but it comes from a lookup.

Re: Replacing strings in lookup result via transform

harshpatel — Tue, 18 Jun 2019 11:30:13 GMT

Have you tried EVAL in props.conf? For example: EVAL-fieldname = field1 + field2

Re: Replacing strings in lookup result via transform

afx — Wed, 19 Jun 2019 06:43:02 GMT

After checking the docs, I unfortunately found that I cannot use EVAL on results from a LOOKUP.