Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

monitoring directory files

neroi
Explorer
‎09-11-2018 12:31 AM

Hello!
Need help with monitoring
We monitor the directory and load from the text files the data of the following format:

http://immage.biz/image/SVoO

We need to complete the record of information about the IP address with resolve by name of the PC (armName) after adding the event data.
How to make such an enrichment and also remove some of the fields that do not carry useful information for us?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2018 08:17 AM

You can enrich your data using lookup using either DNS or a local lookup file. To use DNS:

... | lookup dnslookup clienthost as armName OUTPUT clientip as armIP | ...

To use a local file you will need a CSV file with two fields: armName and armIP. Upload that file to your search head and use this SPL:

... | lookup armlookup.csv armName OUTPUT armIP | ...

Use the fields command to remove unwanted fields at search time.

... | fields - field6 field7 | ...

There are ways to prevent indexing of fields at index time, but we'd have to know about how you ingest this file. Share your props.conf settings, if you can.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2018 08:17 AM

You can enrich your data using lookup using either DNS or a local lookup file. To use DNS:

... | lookup dnslookup clienthost as armName OUTPUT clientip as armIP | ...

To use a local file you will need a CSV file with two fields: armName and armIP. Upload that file to your search head and use this SPL:

... | lookup armlookup.csv armName OUTPUT armIP | ...

Use the fields command to remove unwanted fields at search time.

... | fields - field6 field7 | ...

There are ways to prevent indexing of fields at index time, but we'd have to know about how you ingest this file. Share your props.conf settings, if you can.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

neroi
Explorer
‎09-12-2018 06:14 AM

Hello! Thank you for answer.

We use the first method now. But it gets the value of the address at the current moment when the search query occurs. And we need to store the value obtained at the time of receiving the data.

0 Karma
Reply
Solved! Jump to solution

neroi
Explorer
‎09-18-2018 01:58 AM

any comment to this question?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-11-2018 04:20 AM

Your image of the data is broken. Please try copy-paste rather than inserting an image.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

neroi
Explorer
‎09-11-2018 05:17 AM

thanks for your comment.
Edited

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...