https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-add-a-field-automatically-to-events-with-using/m-p/122625#M33063 <P>If you are only using RegEx for case-(in)sensitivity, you can do this without RegEx by using the <CODE>case_sensitive_match = false</CODE> directive in <CODE>transforms.conf</CODE> for your automatic lookup.</P> Sun, 09 Aug 2015 21:36:04 GMT woodcock 2015-08-09T21:36:04Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-add-a-field-automatically-to-events-with-using/m-p/122623#M33061 <P>I am indexing web logs in Splunk and one thing I am trying to do is attempt to match the URI against a list of regexes to categorize the type of request...</P> <PRE><CODE>index=weblog | replace *wp-login.php* with "WordPress Login" in uri_path | replace *wp-content* with "WordPress Content", *wp-include* with "WordPress Include", *wp-comment* with "WordPress Comment" in uri_path | replace *wp-admin* with "WordPress Admin Access" in uri_path |replace *wpad.dat* with "WebProxy AutoDetection" in uri_path | ... </CODE></PRE> <P>What I would like to do is add a <CODE>request_type field</CODE> to the events that contains that information. The problem is that not everything is a <CODE>*</CODE> wildcard. Some of the <CODE>request_type</CODE> information I want to capture is more of a regex. For example:<BR /> <PRE><BR /> /[Mm][aA4][iIl1][1lL][eE3][rR].php<BR /> /[Mm][aA4][iIl1][eE3][1lL][rR].php<BR /> </PRE></P> <P>Is there a way to do this via a lookup table? I could do it with an external script, but I seem to run into issues when I have more than a couple hundred things to lookup (I'll see results while the list is small, but then as the list grows, the lookup results start to disappear).</P> <PRE><CODE>index=weblog | stats count by uri_path | lookup REQUEST_lookup uri_path OUTPUT request_type </CODE></PRE> Fri, 03 Apr 2015 13:26:23 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-add-a-field-automatically-to-events-with-using/m-p/122623#M33061 mjbroekman 2015-04-03T13:26:23Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-add-a-field-automatically-to-events-with-using/m-p/122624#M33062 <P>Are the URI's and request types so unique that you actually have to look them up against a list? Can you give some idea as to what the request types are to you and how they're being determined? I'm not sure what that regex example is supposed to be... you might need to clarify a bit.</P> Sat, 04 Apr 2015 00:42:08 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-add-a-field-automatically-to-events-with-using/m-p/122624#M33062 rsennett_splunk 2015-04-04T00:42:08Z https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-add-a-field-automatically-to-events-with-using/m-p/122625#M33063 <P>If you are only using RegEx for case-(in)sensitivity, you can do this without RegEx by using the <CODE>case_sensitive_match = false</CODE> directive in <CODE>transforms.conf</CODE> for your automatic lookup.</P> Sun, 09 Aug 2015 21:36:04 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-add-a-field-automatically-to-events-with-using/m-p/122625#M33063 woodcock 2015-08-09T21:36:04Z