Extract 'table structured' data from log file usin...

A3gupta · ‎09-09-2020

I have a log file in a table structured form like this,

Code send_id dest_id

AW 96 45

BX 65 78

Now here I have to change that send_id column id's to the name(like 96 = Alex and 65= James) and regenerate the log file like the below format.

Code send_id dest_id

AW Alex 45

BX James 78

How do I extract it and again regenerate it after changing?

thambisetty · ‎09-09-2020

you can replace send_ids with name as you described, but this would be pain for you if there are high number of IDs for which you want to translate.

Scenario 1 : you can convert them using Search Processing Language.

| your search and add below search to your search
| eval send_id=case(send_id=="96","Alex",send_id=="65","James")

Scenario 2: where you can make use of Splunk knowledge objects - Lookups

I have made a video on how to use Lookups, you can find it useful.

————————————
If this helps, give a like below.

Extract 'table structured' data from log file using Perl.