topic Re: Lookups - dynamic values in Splunk Search

Lookups - dynamic values

namritha — Wed, 12 Oct 2016 21:44:50 GMT

Hi,

My lookup table has 3 columns, host, sitename and environment.

Input to lookup is host name.
If the host name contains "d2" sitename="BOHO", if hostname contains "d3" sitename="Cranebank".
If the host name contains "prod" environment="Production", if hostname contains "sys" environment="System testing".

For example,
host =jboss-vm-2f5r8.prod.d2-nonpfv-brown.cloud.pi.com
sitename="BOHO" and environment="Production"

jboss-vm-6j5v3.prod.d3-nonpfv-brown.cloud.pi.com
sitename="Cranebank" and environment="Production"

jboss-vm-4l3s1.sys.d2-nonpfv-green.cloud.pi.com
sitename="BOHO" and environment="System Testing"

jboss-vm-8w3b2.sys.d3-nonpfv-green.cloud.pi.com
sitename="Cranebank" and environment="System Testing"

I do not want to hardcode sitename and environment in the lookup table. Instead I want the sitename and environment to be generated dynamically based on the host name.

Is there any way of doing it using lookup?

Thanks

Re: Lookups - dynamic values

msivill_splunk — Wed, 12 Oct 2016 23:04:35 GMT

So the following should get you started.

| stats count as host 
| eval host="jboss-vm-2f5r8.prod.d2-nonpfv-brown.cloud.pi.com" 
| rex field=host "(?<host_part1>[^\.]*)\.(?<host_part2>[^\.]*)\.(?<host_part3>[^\-]*).*" 
| eval sitename=case(host_part3=="d2","BOHO",host_part2=="d3","Cranebank") 
| eval environment=case(host_part2=="prod","Production",host_part2=="sys","System testing")

The trick is to break up the host string using rex into fields with the text to check, then use a case command to test the text and then set it to the value you want. Depending on how consistent the naming convention for the host is the rex may need some tweaking.

Re: Lookups - dynamic values

maciep — Wed, 12 Oct 2016 23:29:53 GMT

I'm not sure exactly what you mean when saying you don't want to hardcode them in a lookup. I think you have a couple different options.

First, if those are literally the only two environements and sites, you could just create a couple calculated fields

eval env = case(match(host,"(?i)\.prod\."),"Production",match(host,"(?i)\.sys\."),"System Testing",1=1,"unknown")
eval site =  case(match(host,"(?i)\.d2"),"BOHO",match(host,"(?i)\.d3"),"Cranebank",1=1,"unknown")

Or i you have a lot of them, you can use a couple lookup tables - maybe one for site and one for environment. Configure them to allow wildcard matching on host, and I think you should be fine.

For example:

host,env
*.prod.*,Production
*.sys.*,System Testing

Re: Lookups - dynamic values

namritha — Thu, 13 Oct 2016 17:28:46 GMT

I guess you cannot accomplish what I asked for using lookups alone. It also requires changes in transforms.conf and props.conf

I have switched over to using calculated fields.

Thanks for the help.