Splunk Search

How to use a Lookup File with Multiple Static or Dynamic Values?

chrisschum
Path Finder

We have a standard configuration for our workstations. Several of the fields are static but some are dynamic (but these have a fixed length).

I want to use a lookup table of all the values and apply automatically to a sourcetype.

But I'm not sure how I would go about matching the fields/values with a Lookup Definition.

The standard is 

1=Device Type - Static1 char
2=Building Code - Static3 chars
3=Department Code - Static3 chars
4=Function - Static1 char
5=Asset Tag - Dynamic7 chars

 

So a machine may be named LBL1HRSSABC1234 indicating it's a laptop in Building 1 in HR Services that is Shared with an asset tag of ABC1234.

How could I use a lookup with these 4 static and 1 dynamic values to populate said values when a search is done on a particular host name.

I should mention that I'm confortable creating the lookup and applying it, just not how to get it to match on the criteria above.

Thanks in advance!

 

Labels (1)
Tags (3)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

This is not a job for lookups.  Use regex-based transformation.

 

"(?<device_type>.)(?<building_code>...)(?<department_code>...)(?<function>.)(?<asset_tag>.{7})"

 

View solution in original post

Tags (1)

yuanliu
SplunkTrust
SplunkTrust

This is not a job for lookups.  Use regex-based transformation.

 

"(?<device_type>.)(?<building_code>...)(?<department_code>...)(?<function>.)(?<asset_tag>.{7})"

 

Tags (1)

chrisschum
Path Finder

That worked like a charm! Thank you!

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...