Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create multivalue field from single number

landen99
Motivator
‎12-05-2014 12:30 PM

For a simple example of the concept, let's consider Linux file permissions encoding of read, write and execute into a single number:
Example: "7, 5, 1"

file_access_user_code="7", 
file_access_group_code="5",
file_access_world_code="1"

If we look at the first number, it says that the user can read (4), write (2), and execute (1): 4+2+1=7

code, attr
4, read
2, write
1, execute

So my field, file_access_user, is a multi-value field equal to (read, write, execute). Group is read and execute, and world is only execute.
My goal is for splunk to see file_access_user_code and extract the following:

file_access_user="read, write, execute", 
file_access_group="read, execute",
file_access_world="execute"

I give the chmod example as a simple representation of a much more complex table based on hexadecimal encoding of attributes into a single number. How can we tell splunk to take a lookup table with columns "code" and "description" and auto-lookup the numeric values to give multi-value fields with all encoded values listed explicitly?

0 Karma
Reply

lguinn2
Legend
‎12-05-2014 01:15 PM

First, I would make the table a bit easier to use - it's only 7 values (15 for hex) and it saves a lot of computational work that is not easy in Splunk:

code, attr
7,"read, write, execute"
6,"read, write"
5,"read, execute"
4,read
3,"write, execute"
2,write
1,execute

Now try this

yoursearchhere
| eval file_access_user_code= substr(file_access_string, 1, 1)
| eval file_access_group_code= substr(file_access_string, 2, 1)
| eval file_access_world_code= substr(file_access_string, 3, 1)
| lookup file_access_lookup code as file_access_user_code OUTPUT attr as file_access_user
| lookup file_access_lookup code as file_access_group_code OUTPUT attr as file_access_group
| lookup file_access_lookup code as file_access_world_code OUTPUT attr as file_access_world
| makemv delim="," file_access_user
| makemv delim="," file_access_group
| makemv delim="," file_access_world

How to do this automatically: you could make file_access_user_code, file_access_group_code and file_access_world_code into calculated fields, and then use them for the automatic lookup. However, your resulting fields will be strings, not multi-valued fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...