Solved: Re: How do I convert a country name to country cod...

nick405060 · ‎08-23-2018

How do I convert a CC to a country name in Splunk, or vice versa?

Since Splunk Answers won't let me post this question without it being longer (#logic), I need to do:

| makeresults | eval cc="US" | eval country="United States" | <test if they are equal>

niketn · ‎08-23-2018

@nick405060, I think you have implemented an incorrect approach for lookup file. You have indexed the lookup file instead of adding the same as Lookup file and creating Lookup Definition.

Refer to Splunk Documentation for Defining Lookup in Splunk. Once you have configured the same you can use lookup and inputlookup command to perform Country to Country Code and vice versa correlation depending on what is the field present in your data.

While the documentation links posted above have examples for each command. You can also search Splunk Answers for similar use cases. Following are couple of previous answers on similar lines:

https://answers.splunk.com/answers/132299/extracting-country-codes-from-phone-numbers.html
https://answers.splunk.com/answers/378193/is-it-possible-to-use-a-countrycode-us-for-the-geo.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎08-23-2018

@nick405060, I think you have implemented an incorrect approach for lookup file. You have indexed the lookup file instead of adding the same as Lookup file and creating Lookup Definition.

Refer to Splunk Documentation for Defining Lookup in Splunk. Once you have configured the same you can use lookup and inputlookup command to perform Country to Country Code and vice versa correlation depending on what is the field present in your data.

While the documentation links posted above have examples for each command. You can also search Splunk Answers for similar use cases. Following are couple of previous answers on similar lines:

https://answers.splunk.com/answers/132299/extracting-country-codes-from-phone-numbers.html
https://answers.splunk.com/answers/378193/is-it-possible-to-use-a-countrycode-us-for-the-geo.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

nick405060 · ‎08-23-2018

Thanks! You're right, I could have used a lookup instead of indexing and joining.

pruthvikrishnap · ‎08-23-2018

you can use the replace command to do this.

https://answers.splunk.com/answers/568552/how-to-use-replace-in-search.html
Let me know if this helps.

nick405060 · ‎08-23-2018

That wouldn't work because CCs aren't uniform. FR is the first two characters of the country name, while US is the first and eighth character of the country name, CN is the first and fourth letter of the country name.

pruthvikrishnap · ‎08-23-2018

if you have a list of CC's try adding them to a lookup file which would be much easier.

nick405060 · ‎08-23-2018

Yeah, that's what I ended up doing. Not super elegant but whatever. A moderator can convert your comment to an answer if they want. I just created country_codes.csv and then left joined my data with it.

<data> | join type=left Country [| search source="country_codes.csv" | table CC Country]

How do I convert a country name to country code (or vice versa)?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...