Replacing strings in lookup result via transform

afx · ‎06-18-2019

Hi,
I am trying to make a parameterized log more readable.
Assuming a log that has the entries
20,hugo,10.1.1.1
which are the fields
msgid,user,src

I might have a log entry that has a msgid of 20 which then is resolved via a CSV lookup to a readable message which is available as a field:
message="User &A has logged in from &B"

I have that step working already, but I am a bit lost on how to proceed to the next one:

In a second step I want that message to be filled in by the two fields that have been extracted from the log (Say A=hugo and B=10.1.1.1) so that the result is available as a field
fullmessage="User hugo has logged in from 10.1.1.1"

All of this in props.conf/transforms.conf so that fullmessage is available for reports later on.

thx
afx

harshpatel · ‎06-18-2019

Hi @afx is the string "User hugo has logged in from 10.1.1.1" except hugo and 10.1.1.1 static?

afx · ‎06-18-2019

That string is static yes, but it comes from a lookup.

harshpatel · ‎06-18-2019

Have you tried EVAL in props.conf? For example: EVAL-fieldname = field1 + field2

afx · ‎06-18-2019

After checking the docs, I unfortunately found that I cannot use EVAL on results from a LOOKUP.

Replacing strings in lookup result via transform

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life