Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Combining fields pre-search

foomanjee
Explorer
‎05-15-2013 08:06 AM

Hello, I have what may or may not be a bit of a unique issue regarding extracted fields.

We've got a few webservers and we use a relatively unique custom log format, so I've had to manually extract fields. One of the fields is the HTTP header hostname that Apache sees.

The issue is this: We have several sites with multiple hostnames that all serve the same content. For example:
www.domain.com
origin-www.domain.com

The CustomLog in Apache shows both hostnames in their respective log lines, so Splunk does as well.

This results in our Splunk generated graphs showing both fields separately, rather than combined, which results in incorrect numbers (hits/sec, etc).

What I need is to combine those two. In other words, I want splunk to combine the origin-www.domain.com field with the www.domain.com field.

Any ideas on how this can be done?

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎05-15-2013 11:01 AM

One simple way is that before you transform the data with stats/chart/timechart, just clean it up a little with eval.

| eval host=replace(host,"origin-www.","www.")

If there are many different ways in which duplicates exist, but the list is relatively stable over time another tool you might use is a lookup, to map each duplicate hostname to the main one.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎05-15-2013 11:01 AM

One simple way is that before you transform the data with stats/chart/timechart, just clean it up a little with eval.

| eval host=replace(host,"origin-www.","www.")

If there are many different ways in which duplicates exist, but the list is relatively stable over time another tool you might use is a lookup, to map each duplicate hostname to the main one.

0 Karma
Reply

foomanjee
Explorer
‎05-16-2013 11:49 AM

I should add that I've already got a field called 'vhost'. What I'm trying to do is search for vhost=www.domain.com, and have it show both www.domain.com and origin-www.domain.com entries, without having to use "replace". I have about 50 domains, so using "replace" would be rather ugly.

0 Karma
Reply

foomanjee
Explorer
‎05-16-2013 11:22 AM

Thanks. I'm having issues getting this to work as an automatic lookup. I've got the CSV file up, doing something simple like:

vhost,old
www.domain.com,origin-www.domain.com
www.domain2.com,origin-www.domain2.com
etc

I've got the appropriate definitions configured, and my lookups are basic:
input:
vhost=vhost

output:
old=old

I'm not seeing either new field show up in the search results, and there are no replacements being made.

Any ideas?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...