execute search and replace parts with result from ...

marguin · ‎06-01-2012

So i have a splunk deployment that i have a saved search that is want to transform the user_id in to a related piece of infomation that i have in my mysql database. i have the sql connector installed, but being that i am very new to that, i cannot see how or IF... i can execute a search and have the mysql connector do a transform of sorts. for argument sake, if this is what my log entry looks like in splunk:

2012-06-01 15:02:55,965 INFO [com.currensee.platform.brokers.mt4.MT4TerminalConnection] [133856274504727275588810219999289] - < response="">closeu42416;c12811;be2-9.bsn.currensee.com;

where u42416 is the user_id and c12811 is a credential id, i want to look up each of those ids in the database and replace them with the ticker in the database and the username in the displayed search results. assuming that i have the query that will give me the ticker and username (which i do)...can i do this transform?

dshpritz · ‎06-01-2012

This can be done, but you would be doing it using a dynamic lookup. That is, it would be a Python script which would run the query and return the info from the database. This would not be displayed in the data, but would be a field value attached to each event.

See:
http://docs.splunk.com/Documentation/Splunk/latest/knowledge/Addfieldsfromexternaldatasources

execute search and replace parts with result from sql query

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!