Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Replacing strings in lookup result via transform

afx
Contributor
‎06-18-2019 01:41 AM

Hi,
I am trying to make a parameterized log more readable.
Assuming a log that has the entries
20,hugo,10.1.1.1
which are the fields
msgid,user,src

I might have a log entry that has a msgid of 20 which then is resolved via a CSV lookup to a readable message which is available as a field:
message="User &A has logged in from &B"

I have that step working already, but I am a bit lost on how to proceed to the next one:

In a second step I want that message to be filled in by the two fields that have been extracted from the log (Say A=hugo and B=10.1.1.1) so that the result is available as a field
fullmessage="User hugo has logged in from 10.1.1.1"

All of this in props.conf/transforms.conf so that fullmessage is available for reports later on.

thx
afx

0 Karma
Reply

harshpatel
Contributor
‎06-18-2019 03:06 AM

Hi @afx is the string "User hugo has logged in from 10.1.1.1" except hugo and 10.1.1.1 static?

0 Karma
Reply

afx
Contributor
‎06-18-2019 03:55 AM

That string is static yes, but it comes from a lookup.

0 Karma
Reply

harshpatel
Contributor
‎06-18-2019 04:30 AM

Have you tried EVAL in props.conf? For example: EVAL-fieldname = field1 + field2

0 Karma
Reply

afx
Contributor
‎06-18-2019 11:43 PM

After checking the docs, I unfortunately found that I cannot use EVAL on results from a LOOKUP.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...