Splunk Search

How to perform a field extraction on a field from a lookup table?

dkorlat
Explorer

Hi,

How to perform a field extraction on a field from a lookup table?

I'm trying to add another field so the data model in Splunk Enterprise Security can recognise the field.

The issue i'm having is field extraction in props.conf and transforms.conf happen before the lookup table.

I tried the AS command after OUTPUT on the lookup, but it renames the default field from the Windows Add-on. I only want to add another field and not rename the fields in the Add-on. REPORT- in props.conf and transforms.conf works on any other field except fields from lookup tables.

I need to perform the field extraction in the Add-on and not in SPL.

Thanks in advanced.

Labels (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

here is describing the sequence of search-time operations  https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence. It shows that lookups are applied after transforms. For that reason I think that the only way you can so it is SPL not props.conf or transforms.conf.

r. Ismo

dkorlat
Explorer

Thanks,

Splunk Enterprise Security requires the field for the CIM to build the data model.

I won't be able to run it as a SPL as the data models are built as a background task.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

can you do that extraction before you are creating this inputlookup table (e.g. just add additional column there)?

r. Ismo

0 Karma

dkorlat
Explorer

I need to create another field from the field generated by the table lookup. 

Here is the line which creates the lookup table field

"LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege"

I can use LOOKUP-privilege_for_windows_security = windows_privilege_lookup privilege_id OUTPUT privilege AS MyNewField with works, but I lose the field name privilege, which might cause other dashboards to stop working.

I can't post the props.conf as it exceeds 20000 characters.

0 Karma

shivanshu1593
Builder

I got your requirement now, here's what you can try:

1. In the Index field in your datamodel, append the results of your lookup (inputlookup append=t your_lookup.csv)

2. In the calculated fields, use the option of extract more fields, and use Auto extracted fields and check if you can find your desired field there, if yes, just add it to your datamodel.

3. If you cannot find it via Auto extract, you can always go for the trusted Regular Expressions.

Try this and let me know if it works.

S

If it helps, please accept it as an answer.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...