Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

heavy forwarder lookup

tmarlette
Motivator
‎06-23-2014 08:30 AM

I was wondering if it is possible to have a heavy forwarder perform a lookup on a field before it sends data to the indexer?

For instance, I have a series of KV pairs that are numeric in nature, and so are their values, so splunk doesn't recognize them as fields. below is an example of some of the data I am capturing:

1015=USD  9053=0 20064=329915 20200=TESTTR 20401=100 20403=100,101 20404=ef2508bb-5fc-0n5i-3 20409=3 20677=Purf 20687=ef2508bb-5fc-0n5i 23054=14:9:35 23065=119 23153=5646521 23249=1532 23610=12 23955=1

Take for instance "1015=USD". This is the field that determines the currency. I am looking for the heavy forwarder to perform a lookup on "1015" and then forward to the indexer as 'currency'.

Is this possible?

Tags (2)
0 Karma
Reply

tmarlette
Motivator
‎06-24-2014 08:34 AM

Negative, this is a proprietary applications format, and while FIX tags are also included, this is not explicit FIX.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎06-23-2014 08:35 PM

Is this a FIX log format, by any chance...?
If so, have you seen this: http://apps.splunk.com/app/431/

0 Karma
Reply

lguinn2
Legend
‎06-23-2014 05:47 PM

Sorry but no. However, on the indexer (or search head), you could extract the field on the left of the equal sign with a field name like "fieldDefn" and extract the data on the right side of the equal sign with the name "fieldValue".

You could then use the fieldDefn field to do a lookup and come up with the string representation of the field name...

But what you would do after that depends on the purpose of your search or report.

0 Karma
Reply

tmarlette
Motivator
‎06-24-2014 08:40 AM

yeah but when I try that it doesn't work.

here is my RegEx for the capture:
(?\d+)=[^\s]+

This works in regexr, but not in splunk for some reason. Splunk only captures 2 of those fields with this extraction.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...