Splunk Search

field extraction where the data may need a lookup

jalfrey
Communicator

I'd like to do a field extraction on these fields:

proto=udp/67
proto=tcp/http
proto=udp/9060

Should become
protocol/service

If the service ends up being something alphabetic like HTTP then I don't change it. If not I should do a lookup for the numeric value to /etc/services and get the service name.

I could extract the number and save it as the port_numer then do a lookup on that field. Would splunk care if I had a field called service that was populated both by an automatic lookup and by automatic field extraction?

Tags (3)
0 Karma
1 Solution

Ayn
Legend

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

View solution in original post

0 Karma

Ayn
Legend

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

View solution in original post

0 Karma

jalfrey
Communicator

ok thanks. Good to know the internals.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!