Splunk Search

Create multivalue field from single number


For a simple example of the concept, let's consider Linux file permissions encoding of read, write and execute into a single number:
Example: "7, 5, 1"


If we look at the first number, it says that the user can read (4), write (2), and execute (1): 4+2+1=7

code, attr
4, read
2, write
1, execute

So my field, file_access_user, is a multi-value field equal to (read, write, execute). Group is read and execute, and world is only execute.
My goal is for splunk to see file_access_user_code and extract the following:

file_access_user="read, write, execute", 
file_access_group="read, execute",

I give the chmod example as a simple representation of a much more complex table based on hexadecimal encoding of attributes into a single number. How can we tell splunk to take a lookup table with columns "code" and "description" and auto-lookup the numeric values to give multi-value fields with all encoded values listed explicitly?

0 Karma


First, I would make the table a bit easier to use - it's only 7 values (15 for hex) and it saves a lot of computational work that is not easy in Splunk:

code, attr
7,"read, write, execute"
6,"read, write"
5,"read, execute"
3,"write, execute"

Now try this

| eval file_access_user_code= substr(file_access_string, 1, 1)
| eval file_access_group_code= substr(file_access_string, 2, 1)
| eval file_access_world_code= substr(file_access_string, 3, 1)
| lookup file_access_lookup code as file_access_user_code OUTPUT attr as file_access_user
| lookup file_access_lookup code as file_access_group_code OUTPUT attr as file_access_group
| lookup file_access_lookup code as file_access_world_code OUTPUT attr as file_access_world
| makemv delim="," file_access_user
| makemv delim="," file_access_group
| makemv delim="," file_access_world

How to do this automatically: you could make file_access_user_code, file_access_group_code and file_access_world_code into calculated fields, and then use them for the automatic lookup. However, your resulting fields will be strings, not multi-valued fields.

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...