Splunk Search

using eval with automatic lookups

Bulluk
Path Finder

Is there a way to perform an eval when using an automatic lookup? I'm using user IDs in IIS logs to find a user's real name (and lots more stuff but for simplicity let's just say name.) My problem is that the user names can randomly be mixed case so I need to perform an

eval lower(cs_username) 

prior to performing the lookup. This works fine on the search bar

sourcetype="iis" | eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW  DisplayName AS Name

Unfortunately I can't get this to work with automatic lookups without manually include the eval statement in all my searches. so....:

  1. Is there a way to auto-append a search term to a source type, ie for sourcetype="iis" append eval lowuser=lower(cs_username)
  2. is there a way to add the eval to the auto-lookup stanza in props.conf?

Thanks in advance!

Tags (2)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.

But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.

See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:

[ad_lookup]
case_sensitive_match = false

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.

But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.

See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:

[ad_lookup]
case_sensitive_match = false

Bulluk
Path Finder

I went with this as it was a very quick fix and meant I could start showing Splunk off to the web analytic guys who paid for it ASAP. Thanks for your help

0 Karma

lguinn2
Legend

You could do a scripted lookup instead of a file-based lookup. Then you could change the case of the input field(s) as part of your script.

Another choice, though not as nice, is to build a macro that contains

eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW  DisplayName AS Name

But you would have to invoke the macro whenever you wanted the lookup...

lguinn2
Legend

Np - thanks! -- Actually, I like dwaddle's answer better for most cases.

0 Karma

Bulluk
Path Finder

oh.... I would have if I had enough reputation lol

0 Karma

Bulluk
Path Finder

It feels like a scripted input would probably be the best long term solution so I've marked this answer up but have set dwaddle's response as the accepted answer as it's the one I've used for now. Thanks for your help 🙂

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...