Add description to field value

phildefer · ‎11-14-2023

Hello,

I have a system log which contains different DNS error messages (in the 'Message' field) and I am looking for an easy way to provide a short, meaningful description for those messages, either by adding a new field representing each unique DNS error message, or by adding text to the Message field.

Here's an example; one event contains the following :
Message="DNS name resolution failure (sos.epdg.epc.mnc720.mcc302.pub.3gppnetwork.org)"

This error is related to WiFi calling, so I would like to associate a description, or tag to that specific message, e.g. "WiFi calling".

Thoughts?

bowesmana · ‎11-14-2023

Depending on how many cases you have, you can either do it inline, with

| eval description=case(match(Message, "regex_expression1"), "Description1",
                        match(Message, "regex_expression2"), "Description2",
                        match(Message, "regex_expression3"), "Description3")

or probably more practical is to make a lookup - probably a wildcard based lookup, which means creating a CSV with Message, Description fields and then a lookup DEFINITION that has the match type set to

WILDCARD(Message)

In that you could then put things like

"DNS name resolution failure*" as the Message column and then a suitable description.

Using a wildcard type means you don't have to write SPL to extract particular bits of the message to determine the lookup attribute.

Add description to field value

fields

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?