Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can I give a description to an extracted field?

rileyken
Explorer
‎07-29-2019 12:21 PM

I have a GUID field in my logs, and the guid is unique for a specific location. I wanted to query for all events that happen at a specific location so I have to look up the guid value for the location and then search for the guid. Is it possible to use the friendly name for the location to search by instead?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jacobpevans
Motivator
‎07-29-2019 12:33 PM

Greetings Riley,

  1. Settings > Lookups > "Add New" next to "Lookup table files"
  2. Create a CSV similar to the one below. Upload it with name "GUIDs.csv"
  3. Run the search below in the same app that the csv was uploaded in.

GUIDs.csv

GUID,Description
 1,Location 1
 2,Location 2
 3,Location 3
 4,Location 4
 5,Location 5
 6,Location 6
 7,Location 7
 8,Location 8
 9,Location 9
 10,Location 10

Query

| makeresults count=10
| eval   GUID=random()%10
| lookup GUIDs.csv GUID as GUID
| search Description IN ("Location 1", "Location 2", "Location 3")

If anyone in the future finds this post useful, please refer to this link https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

View solution in original post

Reply
Solved! Jump to solution

rileyken
Explorer
‎07-30-2019 05:45 AM

Thanks, worked like a champ!

0 Karma
Reply
Solved! Jump to solution

jacobpevans
Motivator
‎07-30-2019 06:08 AM

You're welcome!

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Solved! Jump to solution
Solution

jacobpevans
Motivator
‎07-29-2019 12:33 PM

Greetings Riley,

  1. Settings > Lookups > "Add New" next to "Lookup table files"
  2. Create a CSV similar to the one below. Upload it with name "GUIDs.csv"
  3. Run the search below in the same app that the csv was uploaded in.

GUIDs.csv

GUID,Description
 1,Location 1
 2,Location 2
 3,Location 3
 4,Location 4
 5,Location 5
 6,Location 6
 7,Location 7
 8,Location 8
 9,Location 9
 10,Location 10

Query

| makeresults count=10
| eval   GUID=random()%10
| lookup GUIDs.csv GUID as GUID
| search Description IN ("Location 1", "Location 2", "Location 3")

If anyone in the future finds this post useful, please refer to this link https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...