This is getting on the right direction, getting everything than trying to filter down and adding all metadata meanwhile.
| index Z BAD
| table Z_BAD_SRC
I've index A with field "User1", needs to be compared with A.src = Z_BAD_SRC
I've index B with field "User2", needs to be compared with B.srcip = Z_BAD_SRC
How can I do that with eval, when the field names are different?
eval EnrichmentUser = coalesce(User1, User2, "unable to enrich")
I am unable to do the upper comparision for relation to catch the correct matching events.
The idea with the second guy posting is what I think splunk would like to do.
The idea is the following, I want to write hundreds of different SPLs for cases Like:
1) GetUserName FromIP
2) GetMac FromIP
3) GetASN FromIP
etc.etc. you have thousands of "enrichments". But the enrichments come from various sources.
How to build the perfect metadata model enrichment, without getting straight to Data-Models (because you cant just combine tham using field names, but rather you have to use relations, like time/relation/same text).
I want to be able to have many enrichments SPLs which get additionall fields to existing saved-searches, on scale.
Or better:
How to built the best auto-enrichment Splunk saved-searches which are using enrichments from various hundreds of other saved-searches and allow for generic overall enrichment? I know some other Product can do that, But its another Product.
Has someone done that with Splunk? Like build all the enrichments into that... Or better use sep. platform, e.g. because of the limited SPL language.
Automatic Field Lookups are not the way to get, because of performance problems with replication of the knowledge bundle.
How to build the best enrichment system/framework for Splunk ?
I need to have many saved-searches being enriched, automatically via fields or via SPL changes.
... View more
