Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Substituting key values on raw text

responsys_cm
Builder
‎02-01-2022 04:22 PM

Let's say I have a CSV input with the following columns:  _raw,user,src_ip

The _raw event is:  "Accepted public key for user $user$ from $src_ip$"

Is there a way to replace $user$ and $src_ip$ in _raw with the values of the corresponding fields?

I tried using "foreach" and "rex" in sedcmd mode, but it doesn't look like rex understands <<FIELD>> and '<<FIELD>>'.  

Is there another way to do this?

Labels (1)
Labels
0 Karma
Reply

johnhuang
Motivator
‎02-01-2022 06:09 PM

Assuming you're running this during search time.

 

Quick and dirty:

 

| eval _raw="Accepted public key for user ".user." from ".src_ip

 

 

Dynamic:

 

| foreach user src_ip [eval _raw=replace(_raw, "\$<<FIELD>>\$", '<<FIELD>>')]

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top