Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Substituting key values on raw text

responsys_cm
Builder
‎02-01-2022 04:22 PM

Let's say I have a CSV input with the following columns:  _raw,user,src_ip

The _raw event is:  "Accepted public key for user $user$ from $src_ip$"

Is there a way to replace $user$ and $src_ip$ in _raw with the values of the corresponding fields?

I tried using "foreach" and "rex" in sedcmd mode, but it doesn't look like rex understands <<FIELD>> and '<<FIELD>>'.  

Is there another way to do this?

Labels (1)
Labels
0 Karma
Reply

johnhuang
Motivator
‎02-01-2022 06:09 PM

Assuming you're running this during search time.

 

Quick and dirty:

 

| eval _raw="Accepted public key for user ".user." from ".src_ip

 

 

Dynamic:

 

| foreach user src_ip [eval _raw=replace(_raw, "\$<<FIELD>>\$", '<<FIELD>>')]

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...