Hello, 😊
i'm new on splunk and i want to know the best way to accomplish the following task
IINFORMATION INPUT :
<EventData>
<Data Name="ID">5</Data>
<Data Name="ProductA">Screw 16</Data>
<Data Name="ProductB">Screw 11 </Data>
<Data Name="ProductC">Screw G</Data>
<Data Name="ProductD">Screw 9</Data>
...
...
</EventData>
GOAL :
i want dynamically parse a field called "Result" which depends of the ID which is in the event
EXAMPLE :
if ID = 5 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 6 i want that my field "Result" is egal to the value of productD. (Result = Screw9)
if ID = 240 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 499 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
and so on..
i try to do the parsing with prop.conf file and trabsforms.conf with INGEST_EVAL and IF and OR but no joy..
any solutions / advices for saving performances / best way to do this please?
Thx !! 😘
What is the relationship between the ID and the result you want?
"result" it's just the name of the field which contains the value of productA or ProductB or ProductX according to the number ID
Your example data appears to be for one event (attribute name"ID", value 5)
There are many "Data" elements with attributes name ProductX (presumably for each "event")
Does your required "result" field contain all the Product values (as a multivalue field) or a specific value "depending on event id"?
ID | Result |
5 | Screw 16 |
6 | Hammer 60 Nail 20 |
240 | Screw 11 |
hey @ITWhisperer
"result" field must contain a specific value "depending on event id"
like in example
if ID = 5 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 6 i want that my field "Result" is egal to the value of productD. (Result = Screw9)
if ID = 240 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
if ID = 499 i want that my field "Result" is egal to the value of productB. (Result = Screw11)
and so on..
thanks 😉
@CaptainPiPoTron You haven't explained how splunk can be told which product to use for each event. Do you want to code if event 5 result = Screw 11, if event 6 result = Screw9, etc.? Probably not, so what does "depending on event id" actually mean, how does splunk know which product to return?
it's why i post here 😉 i don't know how to do it ..
Have a look at this old answer which might help you extract some fields, which you can then work with to determine which value you want to make the result since you haven't made that clear (except in a few specific examples).
thanks for your answer ! 😀 but i think i can't do an auto lookup with FIELDS ID & RESULT (if i understand correctly the lookup table)
because i don't know the value of productA before i got it in the event ..and it can be anything example : productA could be screw 50 or hammer 60 etc...
and yes i want the Result field as an indexed field 🤗
Do you want the Result field as an indexed field?
The better solution would be to create a auto lookup with fields ID & Result. Please note, this will be extracted/added at search time
Steps:
Hope this helps.