Splunk Dev

How to dynamically parse a field?

CaptainPiPoTron
Engager

Hello, 😊

i'm new on splunk and i want to know the best way to accomplish the following task

IINFORMATION INPUT :

  • i have DATA in xml format
  • in the event  the value of ID can be between 1 and 500
  • in the event there is at least 15 ProductX  (it's can be ProductA, ProductB, ProductC, ... ,ProductZ)
  • ProductX can be use for 300 differents ID

 

 

<EventData>
<Data Name="ID">5</Data> 
<Data Name="ProductA">Screw 16</Data> 
<Data Name="ProductB">Screw 11 </Data> 
<Data Name="ProductC">Screw G</Data> 
<Data Name="ProductD">Screw 9</Data> 
...
...
</EventData>

 

 


GOAL :
i want dynamically parse a field called "Result" which depends of the ID which is in the event

EXAMPLE :
if ID = 5 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 6 i want that my field "Result" is egal to the value of productD. (Result = Screw9)
if ID = 240 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 499 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
and so on..

i try to do the parsing with prop.conf file and trabsforms.conf with INGEST_EVAL and IF and OR but no joy..

any solutions / advices for saving performances / best way to do this please?

Thx !! 😘

 

 

Labels (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What is the relationship between the ID and the result you want?

0 Karma

CaptainPiPoTron
Engager

@ITWhisperer 

"result" it's just the name of the field which contains the value of productA or ProductB or ProductX  according to the number ID

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Hi @CaptainPiPoTron 

Your example data appears to be for one event  (attribute name"ID", value 5)

There are many "Data" elements with attributes name ProductX (presumably for each "event")

Does your required "result" field contain all the Product values (as a multivalue field) or a specific value "depending on event id"?

IDResult
5

Screw 16
Screw 11
Screw G
Screw 9

6Hammer 60
Nail 20
240Screw 11 

CaptainPiPoTron
Engager

hey @ITWhisperer 


"result" field must contain a specific value "depending on event id"

like in example 

if ID = 5 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 6 i want that my field "Result" is egal to the value of productD. (Result = Screw9)
if ID = 240 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 499 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
and so on..

thanks 😉

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

@CaptainPiPoTron  You haven't explained how splunk can be told which product to use for each event. Do you want to code if event 5 result = Screw 11, if event 6 result = Screw9, etc.? Probably not, so what does "depending on event id" actually mean, how does splunk know which product to return?

0 Karma

CaptainPiPoTron
Engager

@ITWhisperer 

it's why i post here 😉 i don't know how to do it .. 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have a look at this old answer which might help you extract some fields, which you can then work with to determine which value you want to make the result since you haven't made that clear (except in a few specific examples).

0 Karma

CaptainPiPoTron
Engager

@anilchaithu  

thanks for your answer ! 😀 but i think i can't do an auto lookup with FIELDS ID & RESULT (if i understand correctly the lookup table)

because i don't know the value of productA before i got it in the event ..and it can be anything example : productA could be screw 50 or hammer 60 etc...

and yes i want the Result field as an indexed field 🤗

0 Karma

anilchaithu
Builder

@CaptainPiPoTron 

Do you want the Result field as an indexed field?

The better solution would be to create a auto lookup with fields ID & Result. Please note, this will be extracted/added at search time

Steps:

  • Create a csv file with ID & result fields
  • add csv file to splunk as lookup table
  • create definition and auto-lookup for the above lookup.

Hope this helps.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...