We all know Websense has categories numbers instead of the category and child_category names. So, I have a question on combining this data. Instead of altering props.conf (no app, just using generic search), what is the most efficient way to combine the following:
index=websense
lookup file WS_Category.csv
I want to be able to replace the category numbers in the websense index with the names in the csv. There category (index) field is directly relational to the ID (csv) field in the lookup. Ideally I'd like the data in my results to show up with a category name (Adult Material, Education, Government, etc) instead of a 1,41,1508, 201, etc. Thoughts?
this is straight forward in that you identify the fields in the lookup for Splunk that will match with the indexed field. Then tell it what field, based on the lookup is the output... and then use it.
not quite exactly what you are looking for but close if you want to get the flavor:
https://answers.splunk.com/answers/146732/how-to-lookup-field-from-csv-file-using-automatic-lookups....
...|stats count by ID|lookup WS_category ID OUTPUT categoryName|table blah category
this presumes that ID is the field that matches in the Splunk index and in the csv and that 'category' is the display name for the category.
this is straight forward in that you identify the fields in the lookup for Splunk that will match with the indexed field. Then tell it what field, based on the lookup is the output... and then use it.
not quite exactly what you are looking for but close if you want to get the flavor:
https://answers.splunk.com/answers/146732/how-to-lookup-field-from-csv-file-using-automatic-lookups....
...|stats count by ID|lookup WS_category ID OUTPUT categoryName|table blah category
this presumes that ID is the field that matches in the Splunk index and in the csv and that 'category' is the display name for the category.
I figured out why it wasn't working, my file wasn't recognized as a .csv. that's fixed and this query works perfectly! Thanks!
Thanks for clarifying @antifreke 🙂
HI @antifreke - Are you using one of the Websense apps/add-ons located on Splunkbase? If so, which one? I just want to make sure your post is tagged properly. Thanks!
I am not using any of the websense apps. We are building out a custom application and all of our data is in a single location under index=websense