Splunk Search

What is the most efficient way to combine a Websense index and lookup?

Path Finder

We all know Websense has categories numbers instead of the category and child_category names. So, I have a question on combining this data. Instead of altering props.conf (no app, just using generic search), what is the most efficient way to combine the following:

index=websense 
lookup file WS_Category.csv 

I want to be able to replace the category numbers in the websense index with the names in the csv. There category (index) field is directly relational to the ID (csv) field in the lookup. Ideally I'd like the data in my results to show up with a category name (Adult Material, Education, Government, etc) instead of a 1,41,1508, 201, etc. Thoughts?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

this is straight forward in that you identify the fields in the lookup for Splunk that will match with the indexed field. Then tell it what field, based on the lookup is the output... and then use it.

not quite exactly what you are looking for but close if you want to get the flavor:
https://answers.splunk.com/answers/146732/how-to-lookup-field-from-csv-file-using-automatic-lookups....

...|stats count by ID|lookup WS_category ID OUTPUT categoryName|table blah category

this presumes that ID is the field that matches in the Splunk index and in the csv and that 'category' is the display name for the category.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

this is straight forward in that you identify the fields in the lookup for Splunk that will match with the indexed field. Then tell it what field, based on the lookup is the output... and then use it.

not quite exactly what you are looking for but close if you want to get the flavor:
https://answers.splunk.com/answers/146732/how-to-lookup-field-from-csv-file-using-automatic-lookups....

...|stats count by ID|lookup WS_category ID OUTPUT categoryName|table blah category

this presumes that ID is the field that matches in the Splunk index and in the csv and that 'category' is the display name for the category.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

View solution in original post

0 Karma

Path Finder

I figured out why it wasn't working, my file wasn't recognized as a .csv. that's fixed and this query works perfectly! Thanks!

0 Karma

Splunk Employee
Splunk Employee

Thanks for clarifying @antifreke 🙂

0 Karma

Splunk Employee
Splunk Employee

HI @antifreke - Are you using one of the Websense apps/add-ons located on Splunkbase? If so, which one? I just want to make sure your post is tagged properly. Thanks!

0 Karma

Path Finder

I am not using any of the websense apps. We are building out a custom application and all of our data is in a single location under index=websense

0 Karma