Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Build a Key that defines and renames field values extracted

ho000dor
Explorer
‎02-28-2014 06:52 PM

What's the easiest way to create a key for a list of octets that need to be renamed?

Example:
I have a rex query that pulls the 3rd, 4th OCTET, and Port
For example - 192.168.2.9:23 the rex would extract 2.9:23 to 3 seperate fields
rex would extract 3 fields respectively to this fieldA=2 fieldB=9 fieldC=23
To set up a key, I would prefer to use a macro so different users can modify values

To keep it simple, the key would look something like this and would rename the octets extracted from the rex above and ultimately a new field would be created, that concatenates multiple values.
2=branchoffice
9=adminhost
23=telnet

new field would look like this:
branchoffice->adminhost->telnet

Tags (5)
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎02-28-2014 11:54 PM

Hi ho000dor,

you can do this, if you use a lookup to get the names for 2, 9 & 23 from the lookup and then combine the names to this new field like this:

.... | lookup myLookupName | eval theNewFieldName=lookupFieldA."->".lookupFieldB."->".lookupFieldC

If your lookup uses fieldA as input and as output lookupFieldA with a value like branchoffice and so on.

hope this helps ...

cheers, MuS

Reply

MuS
SplunkTrust
SplunkTrust
‎03-01-2014 12:09 PM

No, take a look at the docs http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

0 Karma
Reply

ho000dor
Explorer
‎03-01-2014 08:06 AM

do i have to use transform.conf in order to create a lookup? some users won't have access to that.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...