Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

can I give a description to an extracted field?

rileyken
Explorer
‎07-29-2019 12:21 PM

I have a GUID field in my logs, and the guid is unique for a specific location. I wanted to query for all events that happen at a specific location so I have to look up the guid value for the location and then search for the guid. Is it possible to use the friendly name for the location to search by instead?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jacobpevans
Motivator
‎07-29-2019 12:33 PM

Greetings Riley,

  1. Settings > Lookups > "Add New" next to "Lookup table files"
  2. Create a CSV similar to the one below. Upload it with name "GUIDs.csv"
  3. Run the search below in the same app that the csv was uploaded in.

GUIDs.csv

GUID,Description
 1,Location 1
 2,Location 2
 3,Location 3
 4,Location 4
 5,Location 5
 6,Location 6
 7,Location 7
 8,Location 8
 9,Location 9
 10,Location 10

Query

| makeresults count=10
| eval   GUID=random()%10
| lookup GUIDs.csv GUID as GUID
| search Description IN ("Location 1", "Location 2", "Location 3")

If anyone in the future finds this post useful, please refer to this link https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.

View solution in original post

Reply
Solved! Jump to solution

rileyken
Explorer
‎07-30-2019 05:45 AM

Thanks, worked like a champ!

0 Karma
Reply
Solved! Jump to solution

jacobpevans
Motivator
‎07-30-2019 06:08 AM

You're welcome!

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
0 Karma
Reply
Solved! Jump to solution
Solution

jacobpevans
Motivator
‎07-29-2019 12:33 PM

Greetings Riley,

  1. Settings > Lookups > "Add New" next to "Lookup table files"
  2. Create a CSV similar to the one below. Upload it with name "GUIDs.csv"
  3. Run the search below in the same app that the csv was uploaded in.

GUIDs.csv

GUID,Description
 1,Location 1
 2,Location 2
 3,Location 3
 4,Location 4
 5,Location 5
 6,Location 6
 7,Location 7
 8,Location 8
 9,Location 9
 10,Location 10

Query

| makeresults count=10
| eval   GUID=random()%10
| lookup GUIDs.csv GUID as GUID
| search Description IN ("Location 1", "Location 2", "Location 3")

If anyone in the future finds this post useful, please refer to this link https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

Cheers,
Jacob

If you feel this response answered your question, please do not forget to mark it as such. If it did not, but you do have the answer, feel free to answer your own post and accept that as the answer.
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...