Splunk Search

What is the most efficient way to combine a Websense index and lookup?

antifreke
Path Finder

We all know Websense has categories numbers instead of the category and child_category names. So, I have a question on combining this data. Instead of altering props.conf (no app, just using generic search), what is the most efficient way to combine the following:

index=websense 
lookup file WS_Category.csv 

I want to be able to replace the category numbers in the websense index with the names in the csv. There category (index) field is directly relational to the ID (csv) field in the lookup. Ideally I'd like the data in my results to show up with a category name (Adult Material, Education, Government, etc) instead of a 1,41,1508, 201, etc. Thoughts?

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

this is straight forward in that you identify the fields in the lookup for Splunk that will match with the indexed field. Then tell it what field, based on the lookup is the output... and then use it.

not quite exactly what you are looking for but close if you want to get the flavor:
https://answers.splunk.com/answers/146732/how-to-lookup-field-from-csv-file-using-automatic-lookups....

...|stats count by ID|lookup WS_category ID OUTPUT categoryName|table blah category

this presumes that ID is the field that matches in the Splunk index and in the csv and that 'category' is the display name for the category.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

this is straight forward in that you identify the fields in the lookup for Splunk that will match with the indexed field. Then tell it what field, based on the lookup is the output... and then use it.

not quite exactly what you are looking for but close if you want to get the flavor:
https://answers.splunk.com/answers/146732/how-to-lookup-field-from-csv-file-using-automatic-lookups....

...|stats count by ID|lookup WS_category ID OUTPUT categoryName|table blah category

this presumes that ID is the field that matches in the Splunk index and in the csv and that 'category' is the display name for the category.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

antifreke
Path Finder

I figured out why it wasn't working, my file wasn't recognized as a .csv. that's fixed and this query works perfectly! Thanks!

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Thanks for clarifying @antifreke 🙂

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

HI @antifreke - Are you using one of the Websense apps/add-ons located on Splunkbase? If so, which one? I just want to make sure your post is tagged properly. Thanks!

0 Karma

antifreke
Path Finder

I am not using any of the websense apps. We are building out a custom application and all of our data is in a single location under index=websense

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...