Splunk Search
Highlighted

How to create a new field at index-time using a lookup?

Communicator

I have a challenge where I want to place a static field (at index-time, NOT search-time) onto events as they are indexed.

The value of this new field must be from a lookup, based upon data already in _raw.

Lets assume the REX we need to extract here the value to be looked up is:

Test Location:(?<valueToLookup>[0-9.])*

Can anyone help me with code samples on how to then use valueToLookup to create a new field called resolvedLookupAtIndex so it appears as a static field?

NB: I have a separate search head vs indexer environment.

Highlighted

Re: How to create a new field at index-time using a lookup?

Path Finder

You probably may have found out by now but just in case .. Lookups cannot be done at index time but only at search time. Refer to this and this answers. If its still something you are pondering on, you can explain why it cannot be a search time lookup to discuss possible options.

View solution in original post

Highlighted

Re: How to create a new field at index-time using a lookup?

Communicator

I did thanks, I spoke to someone at the last Splunk Live in London and confirmed this - thanks for adding an answer though.

0 Karma