Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Substituting key values on raw text

responsys_cm
Builder
‎02-01-2022 04:22 PM

Let's say I have a CSV input with the following columns:  _raw,user,src_ip

The _raw event is:  "Accepted public key for user $user$ from $src_ip$"

Is there a way to replace $user$ and $src_ip$ in _raw with the values of the corresponding fields?

I tried using "foreach" and "rex" in sedcmd mode, but it doesn't look like rex understands <<FIELD>> and '<<FIELD>>'.  

Is there another way to do this?

Labels (1)
Labels
0 Karma
Reply

johnhuang
Motivator
‎02-01-2022 06:09 PM

Assuming you're running this during search time.

 

Quick and dirty:

 

| eval _raw="Accepted public key for user ".user." from ".src_ip

 

 

Dynamic:

 

| foreach user src_ip [eval _raw=replace(_raw, "\$<<FIELD>>\$", '<<FIELD>>')]

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...