×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
wanderson8
Engager
Member since: ‎05-28-2021
‎05-20-2022
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-28-2021
View All

Re: Iterate over lookup table to perform replace o...

by in Splunk Search
‎06-01-2021 08:10 AM
‎06-01-2021 08:10 AM
THANK YOU SO MUCH.  This works! It seems a little hacky and inefficient, but that's more a limitation of the Splunk query language than anything!  Only wish there was a more efficient and sensible way to do this 😕 ... guess I could start looking at making custom apps! ... View more

Re: Iterate over lookup table to perform replace o...

by in Splunk Search
‎05-28-2021 03:41 PM
‎05-28-2021 03:41 PM
If I'm going to do that I might as well just hard-code the search/replace strings in a series of eval replace commands, rather than do it as a lookup table. My idea here is that I want the search/replace iterations to be dynamic based on the contents of the lookup table.  I expect the table will grow over time. If Splunk can't do this (or at least without some major hacky work-arounds) then the hard-coding might just be the way to go, even though it is far from an ideal approach... I'm fairly new to Splunk, so maybe there is something I'm missing here? ... View more

Iterate over lookup table to perform replace on se...

by in Splunk Search
‎05-28-2021 12:00 PM
‎05-28-2021 12:00 PM
I am trying to use a lookup table to perform a series of string replacements on a single field in a search result The lookup table has two fields: find_string, replace_string (??? find_string may need to be a regex for this purpose ???) Then, for every row/event in the search result, I need it to iterate over the lookup table and perform the following operation for a single field from the search results (call it search_field) :   | eval search_field = replace(search_field, find_string, replace_string)   The search_field mutations should be cumulative within each search row/event.  In other words, the return value from the replace function will become the input to the next iteration, until every entry in the lookup table has been iterated over.  Then it moves onto the next row/event and starts over with the original value of search_field at the start of the lookup table, ETC... I have tried many different approaches to this, with no success.  Apparently unlike SQL, subsearches in Splunk are unable to access fields from the outer search.  (???)  I have also had no success with the map command.  This seems like a fairly basic operation in most programming languages, and I think it would be even be do-able in SQL.  Is it even possible to do this with Splunk? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-20-2022 01:25 AM