Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

heavy forwarder lookup

tmarlette
Motivator
‎06-23-2014 08:30 AM

I was wondering if it is possible to have a heavy forwarder perform a lookup on a field before it sends data to the indexer?

For instance, I have a series of KV pairs that are numeric in nature, and so are their values, so splunk doesn't recognize them as fields. below is an example of some of the data I am capturing:

1015=USD  9053=0 20064=329915 20200=TESTTR 20401=100 20403=100,101 20404=ef2508bb-5fc-0n5i-3 20409=3 20677=Purf 20687=ef2508bb-5fc-0n5i 23054=14:9:35 23065=119 23153=5646521 23249=1532 23610=12 23955=1

Take for instance "1015=USD". This is the field that determines the currency. I am looking for the heavy forwarder to perform a lookup on "1015" and then forward to the indexer as 'currency'.

Is this possible?

Tags (2)
0 Karma
Reply

tmarlette
Motivator
‎06-24-2014 08:34 AM

Negative, this is a proprietary applications format, and while FIX tags are also included, this is not explicit FIX.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎06-23-2014 08:35 PM

Is this a FIX log format, by any chance...?
If so, have you seen this: http://apps.splunk.com/app/431/

0 Karma
Reply

lguinn2
Legend
‎06-23-2014 05:47 PM

Sorry but no. However, on the indexer (or search head), you could extract the field on the left of the equal sign with a field name like "fieldDefn" and extract the data on the right side of the equal sign with the name "fieldValue".

You could then use the fieldDefn field to do a lookup and come up with the string representation of the field name...

But what you would do after that depends on the purpose of your search or report.

0 Karma
Reply

tmarlette
Motivator
‎06-24-2014 08:40 AM

yeah but when I try that it doesn't work.

here is my RegEx for the capture:
(?\d+)=[^\s]+

This works in regexr, but not in splunk for some reason. Splunk only captures 2 of those fields with this extraction.

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...