Re: Using LOOKUP on a REGEX when parsin inputs to ...

alexantao · ‎10-16-2013

Hello,

I have an input that come from one proxy equipment that logs several clients. It is just on big log with all access in it.
I configured a LOOKUP table that maps the Subnetwork of a client to its name, based on it's IP address logged, and it works:

[clients]
default_match = UnknownClient
filename = clients.csv
match_type = CIDR(subnetwork)
max_matches = 1
min_matches = 1

Since my index is getting really huge, I want to split it into smaller indexes. It will make everything easy and faster. So I configured a TRANSFORM clause on transforms.conf and props.conf so that based on a REGEX, it will send to different indexes:

[client1]
REGEX = -SOME_STRING_IDENTIFIER-
DEST_KEY = _MetaData:Index
FORMAT = access_client1

[my_logs]
TRANSFORMS-clients=access_client1,

And it works too. The events comming from client1 goes to index access_client1, client2 goes to access_client2 and so on...

The problem is that this REGEX does not recognize all events comming from a client. The best would be if I could lookup the LOOKUP-clients-table and decide based on their IP address (dvc_ip field), exactly as splunk does when searching. Is it possible ?

Thanks

lukejadamec · ‎10-16-2013

It would be nice, but you can't parse at index time based on a lookup. Lookups are search time only.

Using LOOKUP on a REGEX when parsin inputs to send to an index

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?