- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add a new field at index time and rewrite values from another field
saadmalik83
New Member
09-04-2016
04:10 AM
Hi All,
I am facing an issue with logs from juniper SRX and ES. I am pretty new to splunk, i am hoping the answer would be an easy one to this.
I have a field called protocol-id with numeric values for the protocols e.g. 1,6,17 which are actually ICMP, TCP and UDP respectively. ES doesn't recognize the numeric values and in the ports and protocol dashboard.
I did the following but it's not working:
- Created a csv with field "id, transport" which would correlate the numeric values to their respective protocols e.g 1-icmp, 6-tcp etc
- Imported the csv in "lookup table files" and created the "lookup definitions"
- Created Automatic lookup with source=juniper and Lookup input field "protocol_id" and Lookup output field as "transport"
- All of this was done on the heavy forwarder, since i want this field to be populated at the forwarder or the index level before it reaches the ES.
Please let me know if this is the correct way or should i use another strategy.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![sundareshr sundareshr](https://community.splunk.com/legacyfs/online/avatars/344285.jpg)
sundareshr
Legend
09-04-2016
09:16 AM
If you can uniquely id the field/value. you could use SEDCMD
replace the values
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Anonymizedata#Anonymize_data_through_a_sed_sc...
![](/skins/images/FE4825B2128CA5F641629E007E333890/responsive_peak/images/icon_anonymous_message.png)