Splunk Search

using eval with automatic lookups

Bulluk
Path Finder

Is there a way to perform an eval when using an automatic lookup? I'm using user IDs in IIS logs to find a user's real name (and lots more stuff but for simplicity let's just say name.) My problem is that the user names can randomly be mixed case so I need to perform an

eval lower(cs_username) 

prior to performing the lookup. This works fine on the search bar

sourcetype="iis" | eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW  DisplayName AS Name

Unfortunately I can't get this to work with automatic lookups without manually include the eval statement in all my searches. so....:

  1. Is there a way to auto-append a search term to a source type, ie for sourcetype="iis" append eval lowuser=lower(cs_username)
  2. is there a way to add the eval to the auto-lookup stanza in props.conf?

Thanks in advance!

Tags (2)
1 Solution

dwaddle
SplunkTrust
SplunkTrust

In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.

But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.

See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:

[ad_lookup]
case_sensitive_match = false

View solution in original post

dwaddle
SplunkTrust
SplunkTrust

In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.

But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.

See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:

[ad_lookup]
case_sensitive_match = false

Bulluk
Path Finder

I went with this as it was a very quick fix and meant I could start showing Splunk off to the web analytic guys who paid for it ASAP. Thanks for your help

0 Karma

lguinn2
Legend

You could do a scripted lookup instead of a file-based lookup. Then you could change the case of the input field(s) as part of your script.

Another choice, though not as nice, is to build a macro that contains

eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW  DisplayName AS Name

But you would have to invoke the macro whenever you wanted the lookup...

lguinn2
Legend

Np - thanks! -- Actually, I like dwaddle's answer better for most cases.

0 Karma

Bulluk
Path Finder

oh.... I would have if I had enough reputation lol

0 Karma

Bulluk
Path Finder

It feels like a scripted input would probably be the best long term solution so I've marked this answer up but have set dwaddle's response as the accepted answer as it's the one I've used for now. Thanks for your help 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...