Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to perform a field extraction on a field from a lookup table?

dkorlat
Explorer
‎07-29-2020 01:31 AM

Hi,

How to perform a field extraction on a field from a lookup table?

I'm trying to add another field so the data model in Splunk Enterprise Security can recognise the field.

The issue i'm having is field extraction in props.conf and transforms.conf happen before the lookup table.

I tried the AS command after OUTPUT on the lookup, but it renames the default field from the Windows Add-on. I only want to add another field and not rename the fields in the Add-on. REPORT- in props.conf and transforms.conf works on any other field except fields from lookup tables.

I need to perform the field extraction in the Add-on and not in SPL.

Thanks in advanced.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-29-2020 04:45 AM

Hi

here is describing the sequence of search-time operations  https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence. It shows that lookups are applied after transforms. For that reason I think that the only way you can so it is SPL not props.conf or transforms.conf.

r. Ismo

Reply

dkorlat
Explorer
‎07-30-2020 01:43 AM

Thanks,

Splunk Enterprise Security requires the field for the CIM to build the data model.

I won't be able to run it as a SPL as the data models are built as a background task.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-30-2020 06:18 AM

Hi

can you do that extraction before you are creating this inputlookup table (e.g. just add additional column there)?

r. Ismo

0 Karma
Reply

dkorlat
Explorer
‎07-30-2020 07:59 PM

I need to create another field from the field generated by the table lookup. 

Here is the line which creates the lookup table field

"LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege"

I can use LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege AS MyNewField with works, but I lose the field name privilege, which might cause other dashboards to stop working.

I can't post the props.conf as it exceeds 20000 characters.

0 Karma
Reply

shivanshu1593
Builder
‎08-04-2020 03:23 PM

I got your requirement now, here's what you can try:

1. In the Index field in your datamodel, append the results of your lookup (inputlookup append=t your_lookup.csv)

2. In the calculated fields, use the option of extract more fields, and use Auto extracted fields and check if you can find your desired field there, if yes, just add it to your datamodel.

3. If you cannot find it via Auto extract, you can always go for the trusted Regular Expressions.

Try this and let me know if it works.

S

If it helps, please accept it as an answer.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...