https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448233#M77936 <P>Your image of the data is broken. Please try copy-paste rather than inserting an image.</P> Tue, 11 Sep 2018 11:20:00 GMT richgalloway 2018-09-11T11:20:00Z https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448232#M77935 <P>Hello!<BR /> Need help with monitoring <BR /> We monitor the directory and load from the text files the data of the following format:</P> <P><A href="http://immage.biz/image/SVoO">http://immage.biz/image/SVoO</A></P> <P>We need to complete the record of information about the IP address with resolve by name of the PC (armName) after adding the event data.<BR /> How to make such an enrichment and also remove some of the fields that do not carry useful information for us?</P> Tue, 11 Sep 2018 07:31:15 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448232#M77935 neroi 2018-09-11T07:31:15Z https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448233#M77936 <P>Your image of the data is broken. Please try copy-paste rather than inserting an image.</P> Tue, 11 Sep 2018 11:20:00 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448233#M77936 richgalloway 2018-09-11T11:20:00Z https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448234#M77937 <P>thanks for your comment.<BR /> Edited</P> Tue, 11 Sep 2018 12:17:51 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448234#M77937 neroi 2018-09-11T12:17:51Z https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448235#M77938 <P>You can enrich your data using <CODE>lookup</CODE> using either DNS or a local lookup file. To use DNS:</P> <PRE><CODE>... | lookup dnslookup clienthost as armName OUTPUT clientip as armIP | ... </CODE></PRE> <P>To use a local file you will need a CSV file with two fields: armName and armIP. Upload that file to your search head and use this SPL:</P> <PRE><CODE>... | lookup armlookup.csv armName OUTPUT armIP | ... </CODE></PRE> <P>Use the <CODE>fields</CODE> command to remove unwanted fields at search time.</P> <PRE><CODE>... | fields - field6 field7 | ... </CODE></PRE> <P>There are ways to prevent indexing of fields at index time, but we'd have to know about how you ingest this file. Share your props.conf settings, if you can.</P> Tue, 11 Sep 2018 15:17:44 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448235#M77938 richgalloway 2018-09-11T15:17:44Z https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448236#M77939 <P>Hello! Thank you for answer.</P> <P>We use the first method now. But it gets the value of the address at the current moment when the search query occurs. And we need to store the value obtained at the time of receiving the data.</P> Wed, 12 Sep 2018 13:14:39 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448236#M77939 neroi 2018-09-12T13:14:39Z https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448237#M77940 <P>any comment to this question?</P> Tue, 18 Sep 2018 08:58:15 GMT https://community.splunk.com/t5/Getting-Data-In/monitoring-directory-files/m-p/448237#M77940 neroi 2018-09-18T08:58:15Z