Splunk Search

execute search and replace parts with result from sql query

marguin
New Member

So i have a splunk deployment that i have a saved search that is want to transform the user_id in to a related piece of infomation that i have in my mysql database. i have the sql connector installed, but being that i am very new to that, i cannot see how or IF... i can execute a search and have the mysql connector do a transform of sorts. for argument sake, if this is what my log entry looks like in splunk:

2012-06-01 15:02:55,965 INFO [com.currensee.platform.brokers.mt4.MT4TerminalConnection] [133856274504727275588810219999289] - < response="">closeu42416;c12811;be2-9.bsn.currensee.com;

where u42416 is the user_id and c12811 is a credential id, i want to look up each of those ids in the database and replace them with the ticker in the database and the username in the displayed search results. assuming that i have the query that will give me the ticker and username (which i do)...can i do this transform?

0 Karma

dshpritz
SplunkTrust
SplunkTrust

This can be done, but you would be doing it using a dynamic lookup. That is, it would be a Python script which would run the query and return the info from the database. This would not be displayed in the data, but would be a field value attached to each event.

See:
http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...