Splunk Search
Highlighted

rex and sed with automatic lookups

Communicator

Hi,

This is basically a question of when automatic lookups are applied to data.

I have a field url i need to sed and then use an automatic lookup to assert whether the sed-ed url is in the list. What are the steps I need to take?
Is it easier to use the | lookup command after the sed pipe?

Ideally i have a search that runs the rex on url and then look for a lookup value that exists in the row for the value of that url in the lookup. If this is found, I know that the automatic lookup matched my rexed field.

0 Karma
Highlighted

Re: rex and sed with automatic lookups

SplunkTrust
SplunkTrust
0 Karma
Highlighted

Re: rex and sed with automatic lookups

Esteemed Legend

You need this:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Searchtimeoperationssequence

So what you need to do is create Calculated Field using the replace() function (instead of | rex mode=sed to create the field that you need and then setup an Automatic Lookup and it will work just fine. If this is for the purpose of CIM-compliance, you must make it automatic (not in your search's SPL).

0 Karma