Splunk Search

Create multivalue field from single number

landen99
Motivator

For a simple example of the concept, let's consider Linux file permissions encoding of read, write and execute into a single number:
Example: "7, 5, 1"

file_access_user_code="7", 
file_access_group_code="5",
file_access_world_code="1" 

If we look at the first number, it says that the user can read (4), write (2), and execute (1): 4+2+1=7

code, attr
4, read
2, write
1, execute

So my field, file_access_user, is a multi-value field equal to (read, write, execute). Group is read and execute, and world is only execute.
My goal is for splunk to see file_access_user_code and extract the following:

file_access_user="read, write, execute", 
file_access_group="read, execute",
file_access_world="execute"

I give the chmod example as a simple representation of a much more complex table based on hexadecimal encoding of attributes into a single number. How can we tell splunk to take a lookup table with columns "code" and "description" and auto-lookup the numeric values to give multi-value fields with all encoded values listed explicitly?

0 Karma

lguinn2
Legend

First, I would make the table a bit easier to use - it's only 7 values (15 for hex) and it saves a lot of computational work that is not easy in Splunk:

code, attr
7,"read, write, execute"
6,"read, write"
5,"read, execute"
4,read
3,"write, execute"
2,write
1,execute

Now try this

yoursearchhere
| eval file_access_user_code= substr(file_access_string, 1, 1)
| eval file_access_group_code= substr(file_access_string, 2, 1)
| eval file_access_world_code= substr(file_access_string, 3, 1)
| lookup file_access_lookup code as file_access_user_code OUTPUT attr as file_access_user
| lookup file_access_lookup code as file_access_group_code OUTPUT attr as file_access_group
| lookup file_access_lookup code as file_access_world_code OUTPUT attr as file_access_world
| makemv delim="," file_access_user
| makemv delim="," file_access_group
| makemv delim="," file_access_world

How to do this automatically: you could make file_access_user_code, file_access_group_code and file_access_world_code into calculated fields, and then use them for the automatic lookup. However, your resulting fields will be strings, not multi-valued fields.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...