Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

field extraction where the data may need a lookup

jalfrey
Communicator
‎06-26-2013 03:29 PM

I'd like to do a field extraction on these fields:

proto=udp/67
proto=tcp/http
proto=udp/9060

Should become
protocol/service

If the service ends up being something alphabetic like HTTP then I don't change it. If not I should do a lookup for the numeric value to /etc/services and get the service name.

I could extract the number and save it as the port_numer then do a lookup on that field. Would splunk care if I had a field called service that was populated both by an automatic lookup and by automatic field extraction?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-27-2013 01:32 AM

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-27-2013 01:32 AM

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

0 Karma
Reply
Solved! Jump to solution

jalfrey
Communicator
‎06-27-2013 10:11 AM

ok thanks. Good to know the internals.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...