execute search and replace parts with result from ...

marguin · ‎06-01-2012

So i have a splunk deployment that i have a saved search that is want to transform the user_id in to a related piece of infomation that i have in my mysql database. i have the sql connector installed, but being that i am very new to that, i cannot see how or IF... i can execute a search and have the mysql connector do a transform of sorts. for argument sake, if this is what my log entry looks like in splunk:

2012-06-01 15:02:55,965 INFO [com.currensee.platform.brokers.mt4.MT4TerminalConnection] [133856274504727275588810219999289] - < response="">closeu42416;c12811;be2-9.bsn.currensee.com;

where u42416 is the user_id and c12811 is a credential id, i want to look up each of those ids in the database and replace them with the ticker in the database and the username in the displayed search results. assuming that i have the query that will give me the ticker and username (which i do)...can i do this transform?

dshpritz · ‎06-01-2012

This can be done, but you would be doing it using a dynamic lookup. That is, it would be a Python script which would run the query and return the info from the database. This would not be displayed in the data, but would be a field value attached to each event.

See:
http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources

execute search and replace parts with result from sql query

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!