Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rex and sed with automatic lookups

christoffertoft
Communicator
‎02-22-2019 04:58 AM

Hi,

This is basically a question of when automatic lookups are applied to data.

I have a field url i need to sed and then use an automatic lookup to assert whether the sed-ed url is in the list. What are the steps I need to take?
Is it easier to use the | lookup command after the sed pipe?

Ideally i have a search that runs the rex on url and then look for a lookup value that exists in the row for the value of that url in the lookup. If this is found, I know that the automatic lookup matched my rexed field.

0 Karma
Reply

woodcock
Esteemed Legend
‎03-05-2019 06:59 PM

You need this:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

So what you need to do is create Calculated Field using the replace() function (instead of | rex mode=sed to create the field that you need and then setup an Automatic Lookup and it will work just fine. If this is for the purpose of CIM-compliance, you must make it automatic (not in your search's SPL).

0 Karma
Reply

somesoni2
Revered Legend
‎02-22-2019 07:48 AM

See this:

https://docs.splunk.com/Documentation/Splunk/7.2.4/Knowledge/Searchtimeoperationssequence#Search-tim...

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...