Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract key/value parameters and issue lookup?

vhwang
New Member
‎10-18-2011 10:07 AM

I have a log containing some commands like so:

SWFCMD_DNLK_LOG:  WHICHLOG = CMD_LOG_IMDCMD, TIMERANGESTRT = 0, TIMERANGEEND = 2147483647, DNLNKPRIO = 1
IHFVIS_FW_ABS:  FILTER_NUM = FILTER_4

Or in a more familiar syntax:
swfcmd_dnlk_log(whichlog=cmd_log_imdcmd, timerangestrt=0, timerangeend=20123, dnlinkprio=1)

I have another lookup table that looks like this:

function_name, function_description, parameter, parameter_description
swfcmd_dnlk_log  dnlk_description_txt  whichlog   whichlog_description_text
swfcmd_dnlk_log  dnlk_description_txt  timerangestrt timerangestrt_description_text
etc...

What's the best way to perform the extraction and lookup?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-29-2015 03:41 PM

Let Splunk do the KVP extraction automatically like this in props.conf:

KV_MODE=auto_escaped

Then do the lookup like this

... lookup MYLOOKUP WHICHLOG AS parameter  OUTPUT parameter_description

Or this:

... lookup MYLOOKUP WHICHLOG AS function_name OUTPUT function_description
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...