Splunk Search

Build a Key that defines and renames field values extracted

ho000dor
Explorer

What's the easiest way to create a key for a list of octets that need to be renamed?

Example:
I have a rex query that pulls the 3rd, 4th OCTET, and Port
For example - 192.168.2.9:23 the rex would extract 2.9:23 to 3 seperate fields
rex would extract 3 fields respectively to this fieldA=2 fieldB=9 fieldC=23
To set up a key, I would prefer to use a macro so different users can modify values

To keep it simple, the key would look something like this and would rename the octets extracted from the rex above and ultimately a new field would be created, that concatenates multiple values.
2=branchoffice
9=adminhost
23=telnet

new field would look like this:
branchoffice->adminhost->telnet

Tags (5)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi ho000dor,

you can do this, if you use a lookup to get the names for 2, 9 & 23 from the lookup and then combine the names to this new field like this:

.... | lookup myLookupName | eval theNewFieldName=lookupFieldA."->".lookupFieldB."->".lookupFieldC

If your lookup uses fieldA as input and as output lookupFieldA with a value like branchoffice and so on.

hope this helps ...

cheers, MuS

MuS
SplunkTrust
SplunkTrust
0 Karma

ho000dor
Explorer

do i have to use transform.conf in order to create a lookup? some users won't have access to that.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...