Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Changing an ID to a name

bazcurtis178
Explorer
‎12-23-2021 07:56 AM

Hi,

My search result brings back a GUID in the ID field. The GUID refers to a customer. I would like it to reflect the customers name. Can I make a Splunk search do this every time?

Best wishes

Michael

Labels (2)
Labels
0 Karma
Reply

bazcurtis178
Explorer
‎12-29-2021 03:36 AM

I have made some progress. I have setup an Automatic Lookup and this works on a search that I table, but not on a raw search. Is that the best I will get?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2021 05:18 AM

Using an automatic lookup was a good idea.  I don't understand what you mean by "raw search", however.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bazcurtis178
Explorer
‎12-29-2021 05:25 AM

If I make a Table the Automatic Lookup works. If I do a search for index="sophos_central" I see what I would call the raw data and that field is still the GUI.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2021 07:00 AM

Have you tried adding commands other than table after "index=sophos_central"?  Do any of them trigger the automatic lookup?  Do you see any error messages in the search log or in splunkd.log?

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2021 07:21 AM

Have you tried additional SPL commands (following a |)?

Are you searching in Verbose Mode?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bazcurtis178
Explorer
‎12-31-2021 01:23 AM

I think I have made some progress.

index="sophos_central" "Event::Endpoint::Application::Detected" | table name, endpoint_type, location, when, customer_id, sub_estate, group

That search gives me this which is correct.

Screenshot 2021-12-31 at 09.16.02.gif

I have now realised that I can add the sub_estate field from the Interesting Fields to the Selected Fields and that does what I want it to do. I can now see the sub_estate in every search.

Thanks for the help.

Reply

bazcurtis178
Explorer
‎12-30-2021 01:58 AM

I ran this search

index="sophos_central" "Event::Endpoint::Application::Detected"

and got the following result. This is the customer_id I wanted to change

Screenshot 2021-12-30 at 09.55.58.png

index=_internal sourcetype=splunkd didn't seem to show any errors

0 Karma
Reply

bazcurtis178
Explorer
‎12-29-2021 02:54 AM

Thanks for the reply. That has worked well. I was hoping it would replace the field in all searches, but I have managed to get it to work with this search

index="sophos_central" "Event::Endpoint::Application::Detected" | lookup sub_estate_lookups.csv customer_id OUTPUT Name | table name, endpoint_type, location, when, customer_id sub_estate, group

Is it possible to replace the field by default whenever it is found?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2021 08:15 AM

Assuming the customer name is not available in another field, create a lookup table that maps GUID to name then make the lookup in your query.

If the lookup (I'll all it "guid2name.csv") looks like this:

GUID     Name
8a400b04-51f0-4c70-9340-cc7b9964e5ed  Foo
bab2f4c4-5278-4a52-a65c-8c8a287a7726  Bar

A query might look like this:

<your search for ID>
| lookup guid2name.csv GUID as ID OUTPUT Name
...

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...