Build a Key that defines and renames field values ...

ho000dor · ‎02-28-2014

What's the easiest way to create a key for a list of octets that need to be renamed?

Example:
I have a rex query that pulls the 3rd, 4th OCTET, and Port
For example - 192.168.2.9:23 the rex would extract 2.9:23 to 3 seperate fields
rex would extract 3 fields respectively to this fieldA=2 fieldB=9 fieldC=23
To set up a key, I would prefer to use a macro so different users can modify values

To keep it simple, the key would look something like this and would rename the octets extracted from the rex above and ultimately a new field would be created, that concatenates multiple values.
2=branchoffice
9=adminhost
23=telnet

new field would look like this:
branchoffice->adminhost->telnet

MuS · ‎02-28-2014

Hi ho000dor,

you can do this, if you use a lookup to get the names for 2, 9 & 23 from the lookup and then combine the names to this new field like this:

.... | lookup myLookupName | eval theNewFieldName=lookupFieldA."->".lookupFieldB."->".lookupFieldC

If your lookup uses fieldA as input and as output lookupFieldA with a value like branchoffice and so on.

hope this helps ...

cheers, MuS

MuS · ‎03-01-2014

No, take a look at the docs http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions

ho000dor · ‎03-01-2014

do i have to use transform.conf in order to create a lookup? some users won't have access to that.

Build a Key that defines and renames field values extracted

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk