If we look at the first number, it says that the user can read (4), write (2), and execute (1): 4+2+1=7
So my field, file_access_user, is a multi-value field equal to (read, write, execute). Group is read and execute, and world is only execute.
My goal is for splunk to see file_access_user_code and extract the following:
I give the chmod example as a simple representation of a much more complex table based on hexadecimal encoding of attributes into a single number. How can we tell splunk to take a lookup table with columns "code" and "description" and auto-lookup the numeric values to give multi-value fields with all encoded values listed explicitly?
How to do this automatically: you could make file_access_user_code, file_access_group_code and file_access_world_code into calculated fields, and then use them for the automatic lookup. However, your resulting fields will be strings, not multi-valued fields.