- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to change a field with a numeric value in a CS...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change a field with a numeric value in a CSV input file to a word equivalent at index-time?
For example, csv field is vulnerability severity (range of 1-10). I want to change that to one of 3 values depending on the numeric value, Moderate, Severe or Critical. I read that Lookup files cannot be used at index-time, so is there an alternative?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are a couple of options
If you must do it at index time, you can use SEDCMD in your props.con to anonymize your data. See online documentation for more details1. The limitation with this howeever, is you cannot use INDEXED_EXTRACTIONS to extract your csv data. You will have to import them as DELIM and specify FIELD names in your transforms.
The other option, would be to create a calculated field. This will add a new field that can be used in your searches. Read up on that here http://docs.splunk.com/Documentation/Splunk/6.1/Knowledge/definecalcfields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK thanks. Right now I'm trying to create an automatic lookup to use at search time. But I'll try the calculated field method.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there!
If I am understanding this correctly, you have a field called severity and with a range values 1-10, and depending the number, you want to change it to Moderate, Severe or Critical and use it after the change in another search, right?
If this is the case, you could try something like this:
| eval priority= if(severity(your field)>="0" AND severity<5, "Moderate", if (severity <"8" AND severity >= "5", "Severe", if (severity <= "10" AND severity >= 8, "Critical","Unrated")))
This will set a new field called priority the values 0-4 as Moderate, values from 5-8 SEvere and values from 8-10 Critical.
I hope It works, If I am missunderstanding something or it doesn't work write it and I will try to help you more 🙂
Fueling your curiosity with new Splunk ILT and eLearning courses
Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...
Unleash Unified Security and Observability with Splunk Cloud Platform
