Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create multivalue field from single number

landen99
Motivator
‎12-05-2014 12:30 PM

For a simple example of the concept, let's consider Linux file permissions encoding of read, write and execute into a single number:
Example: "7, 5, 1"

file_access_user_code="7", 
file_access_group_code="5",
file_access_world_code="1"

If we look at the first number, it says that the user can read (4), write (2), and execute (1): 4+2+1=7

code, attr
4, read
2, write
1, execute

So my field, file_access_user, is a multi-value field equal to (read, write, execute). Group is read and execute, and world is only execute.
My goal is for splunk to see file_access_user_code and extract the following:

file_access_user="read, write, execute", 
file_access_group="read, execute",
file_access_world="execute"

I give the chmod example as a simple representation of a much more complex table based on hexadecimal encoding of attributes into a single number. How can we tell splunk to take a lookup table with columns "code" and "description" and auto-lookup the numeric values to give multi-value fields with all encoded values listed explicitly?

0 Karma
Reply

lguinn2
Legend
‎12-05-2014 01:15 PM

First, I would make the table a bit easier to use - it's only 7 values (15 for hex) and it saves a lot of computational work that is not easy in Splunk:

code, attr
7,"read, write, execute"
6,"read, write"
5,"read, execute"
4,read
3,"write, execute"
2,write
1,execute

Now try this

yoursearchhere
| eval file_access_user_code= substr(file_access_string, 1, 1)
| eval file_access_group_code= substr(file_access_string, 2, 1)
| eval file_access_world_code= substr(file_access_string, 3, 1)
| lookup file_access_lookup code as file_access_user_code OUTPUT attr as file_access_user
| lookup file_access_lookup code as file_access_group_code OUTPUT attr as file_access_group
| lookup file_access_lookup code as file_access_world_code OUTPUT attr as file_access_world
| makemv delim="," file_access_user
| makemv delim="," file_access_group
| makemv delim="," file_access_world

How to do this automatically: you could make file_access_user_code, file_access_group_code and file_access_world_code into calculated fields, and then use them for the automatic lookup. However, your resulting fields will be strings, not multi-valued fields.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...