Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction where the data may need a lookup

jalfrey
Communicator
‎06-26-2013 03:29 PM

I'd like to do a field extraction on these fields:

proto=udp/67
proto=tcp/http
proto=udp/9060

Should become
protocol/service

If the service ends up being something alphabetic like HTTP then I don't change it. If not I should do a lookup for the numeric value to /etc/services and get the service name.

I could extract the number and save it as the port_numer then do a lookup on that field. Would splunk care if I had a field called service that was populated both by an automatic lookup and by automatic field extraction?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎06-27-2013 01:32 AM

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎06-27-2013 01:32 AM

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

0 Karma
Reply
Solved! Jump to solution

jalfrey
Communicator
‎06-27-2013 10:11 AM

ok thanks. Good to know the internals.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...