Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change value of field at index time based on condition

shayhibah
Path Finder
‎01-02-2020 01:26 AM

Hi,

I am wondering if its possible t change value of field based on condition at index time.

For example:

If the log contains field X with value XX, then in case field Y exists, change Y value to YY.

Thanks

Tags (1)
0 Karma
Reply

sanjeev543
Communicator
‎01-02-2020 04:22 AM

Why are you looking to change at index time ? Anyway, you have 2 options to replace Y with new value

1) using the Ingest-eval in transforms.conf
props.conf 

[my_sourcetype]
TRANSFORMS-y = change_y

transforms.conf 

[change_y]
INGEST_EVAL = y=if(x LIKE "%foo%","YY",'y')

But using this will override the other settings that you might have defined for this sourcetype at index time like REGEX,FORMAT..etc.
Please refer https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Transformsconf#transforms.conf.spec

2) Using the REGEX and FORMAT in transforms.conf to modify the _raw data itself

props.conf 

[my_sourcetype]
TRANSFORMS-y = change_xy

transforms.conf

[change_xy]
REGEX = (x.*foo\s+)y.*
DEST_KEY = _raw
FORMAT = $1ynew_value

Please write REGEX to match your X with value XX , this will match event with X having XX and replace with X and with the newvalue that you update in FORMAT

If you are considering to update the Y value at search time, please update your props.conf as below,

[my_sourcetype]
...
<your props configs>
....
EVAL-Y = if(x LIKE "%XX%","YY",'Y')
Reply

shayhibah
Path Finder
‎01-02-2020 05:43 AM

hi @sanjeev543

The reason I asked about index time is because I would like to change my values to the values Enterprise Security needs to get.

Is it possible to do this on search time and it will be OK for ES too?

0 Karma
Reply

sanjeev543
Communicator
‎01-03-2020 02:13 AM

Yes, if that's the only reason, please prefer using the search time and if you are able to solve the issue using my solution. Please mark the answer as accepted 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...