Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Create multivalue field from single number

landen99
Motivator
‎12-05-2014 12:30 PM

For a simple example of the concept, let's consider Linux file permissions encoding of read, write and execute into a single number:
Example: "7, 5, 1"

file_access_user_code="7", 
file_access_group_code="5",
file_access_world_code="1"

If we look at the first number, it says that the user can read (4), write (2), and execute (1): 4+2+1=7

code, attr
4, read
2, write
1, execute

So my field, file_access_user, is a multi-value field equal to (read, write, execute). Group is read and execute, and world is only execute.
My goal is for splunk to see file_access_user_code and extract the following:

file_access_user="read, write, execute", 
file_access_group="read, execute",
file_access_world="execute"

I give the chmod example as a simple representation of a much more complex table based on hexadecimal encoding of attributes into a single number. How can we tell splunk to take a lookup table with columns "code" and "description" and auto-lookup the numeric values to give multi-value fields with all encoded values listed explicitly?

0 Karma
Reply

lguinn2
Legend
‎12-05-2014 01:15 PM

First, I would make the table a bit easier to use - it's only 7 values (15 for hex) and it saves a lot of computational work that is not easy in Splunk:

code, attr
7,"read, write, execute"
6,"read, write"
5,"read, execute"
4,read
3,"write, execute"
2,write
1,execute

Now try this

yoursearchhere
| eval file_access_user_code= substr(file_access_string, 1, 1)
| eval file_access_group_code= substr(file_access_string, 2, 1)
| eval file_access_world_code= substr(file_access_string, 3, 1)
| lookup file_access_lookup code as file_access_user_code OUTPUT attr as file_access_user
| lookup file_access_lookup code as file_access_group_code OUTPUT attr as file_access_group
| lookup file_access_lookup code as file_access_world_code OUTPUT attr as file_access_world
| makemv delim="," file_access_user
| makemv delim="," file_access_group
| makemv delim="," file_access_world

How to do this automatically: you could make file_access_user_code, file_access_group_code and file_access_world_code into calculated fields, and then use them for the automatic lookup. However, your resulting fields will be strings, not multi-valued fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...