Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction where the data may need a lookup

jalfrey
Communicator
‎06-26-2013 03:29 PM

I'd like to do a field extraction on these fields:

proto=udp/67
proto=tcp/http
proto=udp/9060

Should become
protocol/service

If the service ends up being something alphabetic like HTTP then I don't change it. If not I should do a lookup for the numeric value to /etc/services and get the service name.

I could extract the number and save it as the port_numer then do a lookup on that field. Would splunk care if I had a field called service that was populated both by an automatic lookup and by automatic field extraction?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-27-2013 01:32 AM

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-27-2013 01:32 AM

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

0 Karma
Reply
Solved! Jump to solution

jalfrey
Communicator
‎06-27-2013 10:11 AM

ok thanks. Good to know the internals.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...