Re: Replacing strings in lookup result via transfo...

afx · ‎06-18-2019

Hi,
I am trying to make a parameterized log more readable.
Assuming a log that has the entries
20,hugo,10.1.1.1
which are the fields
msgid,user,src

I might have a log entry that has a msgid of 20 which then is resolved via a CSV lookup to a readable message which is available as a field:
message="User &A has logged in from &B"

I have that step working already, but I am a bit lost on how to proceed to the next one:

In a second step I want that message to be filled in by the two fields that have been extracted from the log (Say A=hugo and B=10.1.1.1) so that the result is available as a field
fullmessage="User hugo has logged in from 10.1.1.1"

All of this in props.conf/transforms.conf so that fullmessage is available for reports later on.

thx
afx

harshpatel · ‎06-18-2019

Hi @afx is the string "User hugo has logged in from 10.1.1.1" except hugo and 10.1.1.1 static?

afx · ‎06-18-2019

That string is static yes, but it comes from a lookup.

harshpatel · ‎06-18-2019

Have you tried EVAL in props.conf? For example: EVAL-fieldname = field1 + field2

afx · ‎06-18-2019

After checking the docs, I unfortunately found that I cannot use EVAL on results from a LOOKUP.

Replacing strings in lookup result via transform

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation