Splunk Search

How do I convert values returned to another format?

djconroy
Path Finder

Is there a way when creating a table of syslog results that I can convert a value such as "17" to "udp" based on a set of predefined mappings, i.e. 1=icmp,6=tcp,17=udp,47=gre,50=esp?

Thanks!

Tags (2)
0 Karma
1 Solution

mcmaster
Communicator

You're probably looking for something like this:

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

You'll want to define a CSV with the protocol number as one column, and the protocol name as the other. You can then use that in a lookup something like (not exact as you didn't provide details on your logs):

sourcetype=my-firewall | lookup protocols protocol_number OUTPUT protocol_name

You can see more on using the lookup command here:

http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Lookup

View solution in original post

mcmaster
Communicator

You're probably looking for something like this:

http://docs.splunk.com/Documentation/Splunk/6.0.3/Knowledge/Addfieldsfromexternaldatasources

You'll want to define a CSV with the protocol number as one column, and the protocol name as the other. You can then use that in a lookup something like (not exact as you didn't provide details on your logs):

sourcetype=my-firewall | lookup protocols protocol_number OUTPUT protocol_name

You can see more on using the lookup command here:

http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Lookup

somesoni2
Revered Legend

Lookups comes very handy for situations where additional static information to be added to result. Also, if the no of mapping is small and its to be used in only 1-2 places, you can use "eval-case" command to define those. [lookups are easily scalable though]

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...