Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Manipulating fields within a transaction

bcarr12
Path Finder
‎11-18-2014 07:03 AM

What would be the best way to go about manipulating fields within a transaction? For example, let's say I have the following transaction as part of my search to create a transaction:

"search text" source="mylog.log" | transaction maxpause=1s FieldA, FieldB, FieldC, FieldD

Within each transaction, there are additional fields that I use for creating alerts and reports. All of the logs have a descriptive field in them called FieldE. The problem is, sometimes FieldE is very specific and sometimes FieldE does not give me the information I need and requires an additional field, FieldF to get more information (I use a lookup table in both cases). In a normal case, I would put FieldE into a lookup table and output the DescriptionFieldE and be done.

In the cases where FieldE is not descriptive enough, I can use FieldF. FieldF is not present in every log in a transaction. At a high level, what I am trying to do is within each transaction:

If there is a value for FieldF, input it into a lookup table and output as DescriptionFieldF. Create a new field that has both the results of DescriptionFieldE and DescriptionFieldF. What is the best way to create a new field that is the combination of the results of several other fields? Basically something like:

NewField=DescriptionFieldE+DescriptionFieldF (the "results" of both these fields are words so I am not trying to actually add anything together, just combine the results into a single field)

0 Karma
Reply

lguinn2
Legend
‎11-18-2014 07:42 AM

You could do this using the concatenation operator:

| lookup fieldElookup FieldE output DescriptionFieldE
| lookup fieldFlookup FieldF output DescriptionFieldF
| eval newField=DescriptionFieldE . DescriptionFieldF
0 Karma
Reply

bcarr12
Path Finder
‎11-18-2014 08:13 AM

I gave this a shot and it doesn't seem to be working. I have a value for DescriptionFieldE and DescriptionFieldF, but if I do:

eval newfiled=DescriptionFieldE . DescriptionFieldF

It doesn't return any values? One thing I am unsure of, will this concatenation create one field with one result that has both descriptions in it? Or one field with two results?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...