What's the easiest way to create a key for a list of octets that need to be renamed?
Example:
I have a rex query that pulls the 3rd, 4th OCTET, and Port
For example - 192.168.2.9:23 the rex would extract 2.9:23 to 3 seperate fields
rex would extract 3 fields respectively to this fieldA=2 fieldB=9 fieldC=23
To set up a key, I would prefer to use a macro so different users can modify values
To keep it simple, the key would look something like this and would rename the octets extracted from the rex above and ultimately a new field would be created, that concatenates multiple values.
2=branchoffice
9=adminhost
23=telnet
new field would look like this:
branchoffice->adminhost->telnet
Hi ho000dor,
you can do this, if you use a lookup to get the names for 2, 9 & 23 from the lookup and then combine the names to this new field like this:
.... | lookup myLookupName | eval theNewFieldName=lookupFieldA."->".lookupFieldB."->".lookupFieldC
If your lookup uses fieldA as input and as output lookupFieldA with a value like branchoffice
and so on.
hope this helps ...
cheers, MuS
No, take a look at the docs http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions
do i have to use transform.conf in order to create a lookup? some users won't have access to that.