Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

using eval with automatic lookups

Bulluk
Path Finder
‎12-15-2011 04:20 AM

Is there a way to perform an eval when using an automatic lookup? I'm using user IDs in IIS logs to find a user's real name (and lots more stuff but for simplicity let's just say name.) My problem is that the user names can randomly be mixed case so I need to perform an 

eval lower(cs_username)

prior to performing the lookup. This works fine on the search bar

sourcetype="iis" | eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW  DisplayName AS Name

Unfortunately I can't get this to work with automatic lookups without manually include the eval statement in all my searches. so....:

  1. Is there a way to auto-append a search term to a source type, ie for sourcetype="iis" append eval lowuser=lower(cs_username)
  2. is there a way to add the eval to the auto-lookup stanza in props.conf?

Thanks in advance!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎12-17-2011 07:59 PM

In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.

But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.

See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:

[ad_lookup]
case_sensitive_match = false

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎12-17-2011 07:59 PM

In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.

But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.

See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:

[ad_lookup]
case_sensitive_match = false
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎12-19-2011 02:05 AM

I went with this as it was a very quick fix and meant I could start showing Splunk off to the web analytic guys who paid for it ASAP. Thanks for your help

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-17-2011 06:01 PM

You could do a scripted lookup instead of a file-based lookup. Then you could change the case of the input field(s) as part of your script.

Another choice, though not as nice, is to build a macro that contains

eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW  DisplayName AS Name

But you would have to invoke the macro whenever you wanted the lookup...

Reply
Solved! Jump to solution

lguinn2
Legend
‎12-21-2011 02:00 PM

Np - thanks! -- Actually, I like dwaddle's answer better for most cases.

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎12-19-2011 02:04 AM

oh.... I would have if I had enough reputation lol

0 Karma
Reply
Solved! Jump to solution

Bulluk
Path Finder
‎12-19-2011 02:04 AM

It feels like a scripted input would probably be the best long term solution so I've marked this answer up but have set dwaddle's response as the accepted answer as it's the one I've used for now. Thanks for your help 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

How Edge Processor's Durable Queue Works

Edge Processor sits in one of the most consequential places in any Splunk pipeline: between your data sources ...