Splunk Search

What is the most efficient way to combine a Websense index and lookup?

antifreke
Path Finder

We all know Websense has categories numbers instead of the category and child_category names. So, I have a question on combining this data. Instead of altering props.conf (no app, just using generic search), what is the most efficient way to combine the following:

index=websense 
lookup file WS_Category.csv 

I want to be able to replace the category numbers in the websense index with the names in the csv. There category (index) field is directly relational to the ID (csv) field in the lookup. Ideally I'd like the data in my results to show up with a category name (Adult Material, Education, Government, etc) instead of a 1,41,1508, 201, etc. Thoughts?

0 Karma
1 Solution

rsennett_splunk
Splunk Employee
Splunk Employee

this is straight forward in that you identify the fields in the lookup for Splunk that will match with the indexed field. Then tell it what field, based on the lookup is the output... and then use it.

not quite exactly what you are looking for but close if you want to get the flavor:
https://answers.splunk.com/answers/146732/how-to-lookup-field-from-csv-file-using-automatic-lookups....

...|stats count by ID|lookup WS_category ID OUTPUT categoryName|table blah category

this presumes that ID is the field that matches in the Splunk index and in the csv and that 'category' is the display name for the category.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

this is straight forward in that you identify the fields in the lookup for Splunk that will match with the indexed field. Then tell it what field, based on the lookup is the output... and then use it.

not quite exactly what you are looking for but close if you want to get the flavor:
https://answers.splunk.com/answers/146732/how-to-lookup-field-from-csv-file-using-automatic-lookups....

...|stats count by ID|lookup WS_category ID OUTPUT categoryName|table blah category

this presumes that ID is the field that matches in the Splunk index and in the csv and that 'category' is the display name for the category.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma

antifreke
Path Finder

I figured out why it wasn't working, my file wasn't recognized as a .csv. that's fixed and this query works perfectly! Thanks!

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Thanks for clarifying @antifreke 🙂

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

HI @antifreke - Are you using one of the Websense apps/add-ons located on Splunkbase? If so, which one? I just want to make sure your post is tagged properly. Thanks!

0 Karma

antifreke
Path Finder

I am not using any of the websense apps. We are building out a custom application and all of our data is in a single location under index=websense

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...