Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Replacing strings in lookup result via transform

afx
Contributor
‎06-18-2019 01:41 AM

Hi,
I am trying to make a parameterized log more readable.
Assuming a log that has the entries
20,hugo,10.1.1.1
which are the fields
msgid,user,src

I might have a log entry that has a msgid of 20 which then is resolved via a CSV lookup to a readable message which is available as a field:
message="User &A has logged in from &B"

I have that step working already, but I am a bit lost on how to proceed to the next one:

In a second step I want that message to be filled in by the two fields that have been extracted from the log (Say A=hugo and B=10.1.1.1) so that the result is available as a field
fullmessage="User hugo has logged in from 10.1.1.1"

All of this in props.conf/transforms.conf so that fullmessage is available for reports later on.

thx
afx

0 Karma
Reply

harshpatel
Contributor
‎06-18-2019 03:06 AM

Hi @afx is the string "User hugo has logged in from 10.1.1.1" except hugo and 10.1.1.1 static?

0 Karma
Reply

afx
Contributor
‎06-18-2019 03:55 AM

That string is static yes, but it comes from a lookup.

0 Karma
Reply

harshpatel
Contributor
‎06-18-2019 04:30 AM

Have you tried EVAL in props.conf? For example: EVAL-fieldname = field1 + field2

0 Karma
Reply

afx
Contributor
‎06-18-2019 11:43 PM

After checking the docs, I unfortunately found that I cannot use EVAL on results from a LOOKUP.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...