topic Re: How to create a search lookup macro to output enriching field names appended to passed matching field name in Splunk Search

How to create a search lookup macro to output enriching field names appended to passed matching field name

jc28187 — Fri, 22 Apr 2022 16:51:41 GMT

I'm trying to create a search macro which accepts a field to match on and enriches the results with matches and outputs those enriching fields appending the matching value's matching field name as the new field names.

For example:

`my_macro(sourceAddress)`

Should output the following field names (if it matches):

sourceAddress_WHOIS
sourceAddress_Severity
sourceAddress_lastCheck

Where WHOIS, Severity, and lastCheck are field names in the lookup table.

This should also exhibit the same behavior, dynamically, for `my_macro(destinationAddress)`:

destinationAddress_WHOIS
destinationAddress_Severity
destinationAddress_lastCheck

This macro may be called multiple times against multiple field names in a single search. destinationAddress, sourceAddress, clientAddress, proxyAddress, and more are all potential field names in the searches this macro would be used for and multiple combinations of each can potentially exist in each result. I'd like to be able to clearly see which fields were enriched by the lookup table, if enrichment occurred.

Re: How to create a search lookup macro to output enriching field names appended to passed matching field name

ITWhisperer — Fri, 22 Apr 2022 16:56:21 GMT

| lookup lookup_address.csv address as $address_field$ output WHOIS as $address_field$_WHOIS Severity as $address_field$_Severity lastCheck as $address_field$_lastCheck

Re: How to create a search lookup macro to output enriching field names appended to passed matching field name

VatsalJagani — Fri, 22 Apr 2022 17:23:59 GMT

@jc28187 - Use this (what is provided by @ITWhisperer ) as definition of macro.

* Use address_field in the args.

* Use my_macro(1) as the name of the macro.

Your macros.conf entry would look something like this if you are adding macro from the backend:

[my_macro(1)] definition = | lookup lookup_address.csv address as $address_field$ output WHOIS as $address_field$_WHOIS Severity as $address_field$_Severity lastCheck as $address_field$_lastCheck args = address_field

I hope this helps!! Upvote would be appreciated!!!

Re: How to create a search lookup macro to output enriching field names appended to passed matching field name

jc28187 — Fri, 22 Apr 2022 17:31:06 GMT

I had to remove the preceding pipe in the macro definition and this solution worked just fine.

I was trying to over-engineer something using evals to generate field names in values and then use those values to create the field names then use "field -" to remove the fields generated by the lookup after the values were copied to the new eval'd fields... It was a circus.

Thank you for helping me tame it.