Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Build a Key that defines and renames field values extracted

ho000dor
Explorer
‎02-28-2014 06:52 PM

What's the easiest way to create a key for a list of octets that need to be renamed?

Example:
I have a rex query that pulls the 3rd, 4th OCTET, and Port
For example - 192.168.2.9:23 the rex would extract 2.9:23 to 3 seperate fields
rex would extract 3 fields respectively to this fieldA=2 fieldB=9 fieldC=23
To set up a key, I would prefer to use a macro so different users can modify values

To keep it simple, the key would look something like this and would rename the octets extracted from the rex above and ultimately a new field would be created, that concatenates multiple values.
2=branchoffice
9=adminhost
23=telnet

new field would look like this:
branchoffice->adminhost->telnet

Tags (5)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-28-2014 11:54 PM

Hi ho000dor,

you can do this, if you use a lookup to get the names for 2, 9 & 23 from the lookup and then combine the names to this new field like this:

.... | lookup myLookupName | eval theNewFieldName=lookupFieldA."->".lookupFieldB."->".lookupFieldC

If your lookup uses fieldA as input and as output lookupFieldA with a value like branchoffice and so on.

hope this helps ...

cheers, MuS

Reply

MuS
SplunkTrust
SplunkTrust
‎03-01-2014 12:09 PM

No, take a look at the docs http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

0 Karma
Reply

ho000dor
Explorer
‎03-01-2014 08:06 AM

do i have to use transform.conf in order to create a lookup? some users won't have access to that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...