Is there a way to perform an eval when using an automatic lookup? I'm using user IDs in IIS logs to find a user's real name (and lots more stuff but for simplicity let's just say name.) My problem is that the user names can randomly be mixed case so I need to perform an
eval lower(cs_username)
prior to performing the lookup. This works fine on the search bar
sourcetype="iis" | eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW DisplayName AS Name
Unfortunately I can't get this to work with automatic lookups without manually include the eval statement in all my searches. so....:
Thanks in advance!
In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.
But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.
See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:
[ad_lookup]
case_sensitive_match = false
In the general sense, I think the answer to your question is "no" -- you cannot have a generalized eval expression applied to an input to a lookup.
But, for your specific issue here, you can configure the lookup table such that the search is done in a case-insensitive manner.
See http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf for more detail, but it should be as simple as:
[ad_lookup]
case_sensitive_match = false
I went with this as it was a very quick fix and meant I could start showing Splunk off to the web analytic guys who paid for it ASAP. Thanks for your help
You could do a scripted lookup instead of a file-based lookup. Then you could change the case of the input field(s) as part of your script.
Another choice, though not as nice, is to build a macro that contains
eval lowuser=lower(cs_username) | lookup ad_lookup lanID AS lowuser OUTPUTNEW DisplayName AS Name
But you would have to invoke the macro whenever you wanted the lookup...
Np - thanks! -- Actually, I like dwaddle's answer better for most cases.
oh.... I would have if I had enough reputation lol
It feels like a scripted input would probably be the best long term solution so I've marked this answer up but have set dwaddle's response as the accepted answer as it's the one I've used for now. Thanks for your help 🙂