Splunk Search

Substituting key values on raw text

responsys_cm
Builder

Let's say I have a CSV input with the following columns:  _raw,user,src_ip

The _raw event is:  "Accepted public key for user $user$ from $src_ip$"

Is there a way to replace $user$ and $src_ip$ in _raw with the values of the corresponding fields?

I tried using "foreach" and "rex" in sedcmd mode, but it doesn't look like rex understands <<FIELD>> and '<<FIELD>>'.  

Is there another way to do this?

Labels (1)
0 Karma

johnhuang
Motivator

Assuming you're running this during search time.

 

Quick and dirty:

 

| eval _raw="Accepted public key for user ".user." from ".src_ip

 

 

Dynamic:

 

| foreach user src_ip [eval _raw=replace(_raw, "\$<<FIELD>>\$", '<<FIELD>>')]

 

 

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...