Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to apply a field lookup to any field name match in all sourcetypes

cheganbm
Explorer
‎07-22-2014 04:18 AM

Hi,

we have a series of indexes, storing different data structures (each with its own sourcetype) that have in them a series of fields that are common.

We wanted to have a single point of reference in the system for translations. We thought of having a specific app that has this information and applies all the configured translations in any other app, regardless of the index and or sourcetype displayed.

We thought of something like this. Inside a app, in the default section we create the following stanzas.

In the transforms.conf we add, in the standard way, the possible translations.

[glbl_common_field_a_dcdng]
default_match = "Unknown"
filename = glbl_common_field_a_dcdng.csv
min_matches = 1

[glbl_common_field_b_dcdng]
default_match = "Unknown"
filename = glbl_common_field_b_dcdng.csv
min_matches = 1

(...)

[glbl_common_field_z_dcdng]
default_match = "Unknown"
filename = glbl_common_field_z_dcdng.csv
min_matches = 1

and in the props.conf, we set a stanza with some sort of accepted wildcard that automates any possible translation. Something like below:


[*]
LOOKUP-auto_glbl_common_field_a_dcdng = glbl_common_field_a_dcdng field_a OUTPUT decode_output AS field_a_decoded
LOOKUP-auto_glbl_common_field_b_dcdd = glbl_common_field_b_dcdng field_b OUTPUT decode_output AS field_b_decoded
(...)
LOOKUP-auto_glbl_common_field_z_dcdd = glbl_common_field_z_dcdng field_z OUTPUT decode_output AS field_z_decoded

Would this work? Is there another (more efficient) way to do this?

Thanks

Tags (1)
0 Karma
Reply

strive
Influencer
‎07-22-2014 05:01 AM

In my case we have not used any props.conf.

We have a common app, in that app's local directory we define stanzas for CSV files, like how you have done. In lookups directory we have all our CSV files. We use the lookups in other apps. One thing that should do is to push the common app to all the nodes where you need that lookup.

For example: I have commonAPP which contains CSV files. I have idxAPP, shAPP which reside on indexer node and search head node respectively and i want to do lookups in the searches/macros that i have in idxAPP and shAPP then i need to deploy commonAPP to indexer and search head nodes also.

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...