topic Re: How to create a new fields based on some characters in _raw log in Splunk Search

How to create a new fields based on some characters in _raw log

splunker12er — Fri, 14 Mar 2014 13:46:56 GMT

I wanted to create a new field name like 'Country' from the incoming logs based on some characters in the hostname.

Raw logs:

Timestamp                    Type         Hostname   Service     Status    
Fri Mar 14 11:16:16 2014 $ SERVICEALERT $ AU_DC_1    $ SERVICE1  $ OK
Fri Mar 14 11:17:11 2014 $ HOSTALERT    $ IN_DC_2    $ SERVICE2  $ WARNING
Fri Mar 14 11:18:12 2014 $ HOSTEALERT   $ SG_DC_1    $ SERVICE3  $ OK

From the above logs from the HOSTNAME (AU_DC,IN_DC,SG_DC) represents Country (Australia,India,Singapore)

I wanted to create a new fields with this how can create it ?

i tried to tag this , but each time the HOSTNAME may differ , is there any eval commands help?

please help.

Re: How to create a new fields based on some characters in _raw log

lukejadamec — Fri, 14 Mar 2014 13:54:09 GMT

How many countries?

Re: How to create a new fields based on some characters in _raw log

rakesh_498115 — Mon, 28 Sep 2020 16:08:23 GMT

Hi splunker12er,

If there only three specfic hosts as you say to can use the eval statment like this in your search
query

[your search ] | eval NEWHOSTNAME=case(hostname==AU_DC,"Australia",hostname==IN_DC,"India",hostname==SD_DC,"Singapore")

or if the no of hostnames are more you can use lookup .pls refer

http://docs.splunk.com/Documentation/Splunk/6.0.2/SearchReference/Lookup

Hope this helps !

Re: How to create a new fields based on some characters in _raw log

splunker12er — Fri, 14 Mar 2014 13:57:15 GMT

I have too many hosts

Re: How to create a new fields based on some characters in _raw log

lukejadamec — Mon, 28 Sep 2020 16:08:26 GMT

You might need to use the full value:
AU_DC_1, IN_DC_2, SG_DC_1

Also, you might want to include 1==1 as the last case statement to catch unmatched values.

Re: How to create a new fields based on some characters in _raw log

gnovak — Fri, 14 Mar 2014 14:12:12 GMT

I think you could use Lookups for this. If you have a large list, I think lookups would be the better option for you.

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usefieldlookupstoaddinformationtoyourevents
http://docs.splunk.com/Documentation/Splunk/6.0.2/Knowledge/Addfieldsfromexternaldatasources

You could do a static lookup. You'd have to make the CSV list of all the hostnames and the country they are associated with, but it would provide you with the data you are looking for and create the Country field automatically.

To test it you could start off with just a small list.

This is also a great blog on how this works. The example is very similar to what you are trying to do.

http://blogs.splunk.com/2009/07/27/enriching-data-with-lookups-part-1/

Re: How to create a new fields based on some characters in _raw log

somesoni2 — Fri, 14 Mar 2014 15:59:17 GMT

You want to add new field, say country with values AU/IN/SG or Australia/India/Singapore? If first, then you just need field extraction (using rex/props.conf). If second, then you need field extraction and lookups both.