So i have a splunk deployment that i have a saved search that is want to transform the user_id in to a related piece of infomation that i have in my mysql database. i have the sql connector installed, but being that i am very new to that, i cannot see how or IF... i can execute a search and have the mysql connector do a transform of sorts. for argument sake, if this is what my log entry looks like in splunk:
2012-06-01 15:02:55,965 INFO [com.currensee.platform.brokers.mt4.MT4TerminalConnection] [133856274504727275588810219999289] - < response="">
where u42416 is the user_id and c12811 is a credential id, i want to look up each of those ids in the database and replace them with the ticker in the database and the username in the displayed search results. assuming that i have the query that will give me the ticker and username (which i do)...can i do this transform?
This can be done, but you would be doing it using a dynamic lookup. That is, it would be a Python script which would run the query and return the info from the database. This would not be displayed in the data, but would be a field value attached to each event.
See:
http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources