topic Re: using eval with automatic lookups in Splunk Search

using eval with automatic lookups

Bulluk — Thu, 15 Dec 2011 12:20:55 GMT

Is there a way to perform an eval when using an automatic lookup? I'm using user IDs in IIS logs to find a user's real name (and lots more stuff but for simplicity let's just say name.) My problem is that the user names can randomly be mixed case so I need to perform an

eval lower(cs_username)

prior to performing the lookup. This works fine on the search bar

sourcetype="iis" | eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW  DisplayName AS Name

Unfortunately I can't get this to work with automatic lookups without manually include the eval statement in all my searches. so....:

Is there a way to auto-append a search term to a source type, ie for sourcetype="iis" append eval lowuser=lower(cs_username)
is there a way to add the eval to the auto-lookup stanza in props.conf?

Thanks in advance!

Re: using eval with automatic lookups

lguinn2 — Sun, 18 Dec 2011 02:01:15 GMT

You could do a scripted lookup instead of a file-based lookup. Then you could change the case of the input field(s) as part of your script.

Another choice, though not as nice, is to build a macro that contains

eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW  DisplayName AS Name

But you would have to invoke the macro whenever you wanted the lookup...

Re: using eval with automatic lookups

dwaddle — Sun, 18 Dec 2011 03:59:54 GMT

In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.

But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.

See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:

[ad_lookup]
case_sensitive_match = false

Re: using eval with automatic lookups

Bulluk — Mon, 19 Dec 2011 10:04:26 GMT

It feels like a scripted input would probably be the best long term solution so I've marked this answer up but have set dwaddle's response as the accepted answer as it's the one I've used for now. Thanks for your help 🙂

Re: using eval with automatic lookups

Bulluk — Mon, 19 Dec 2011 10:04:50 GMT

oh.... I would have if I had enough reputation lol

Re: using eval with automatic lookups

Bulluk — Mon, 19 Dec 2011 10:05:38 GMT

I went with this as it was a very quick fix and meant I could start showing Splunk off to the web analytic guys who paid for it ASAP. Thanks for your help

Re: using eval with automatic lookups

lguinn2 — Wed, 21 Dec 2011 22:00:55 GMT

Np - thanks! -- Actually, I like dwaddle's answer better for most cases.