Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

heavy forwarder lookup

tmarlette
Motivator
‎06-23-2014 08:30 AM

I was wondering if it is possible to have a heavy forwarder perform a lookup on a field before it sends data to the indexer?

For instance, I have a series of KV pairs that are numeric in nature, and so are their values, so splunk doesn't recognize them as fields. below is an example of some of the data I am capturing:

1015=USD  9053=0 20064=329915 20200=TESTTR 20401=100 20403=100,101 20404=ef2508bb-5fc-0n5i-3 20409=3 20677=Purf 20687=ef2508bb-5fc-0n5i 23054=14:9:35 23065=119 23153=5646521 23249=1532 23610=12 23955=1

Take for instance "1015=USD". This is the field that determines the currency. I am looking for the heavy forwarder to perform a lookup on "1015" and then forward to the indexer as 'currency'.

Is this possible?

Tags (2)
0 Karma
Reply

tmarlette
Motivator
‎06-24-2014 08:34 AM

Negative, this is a proprietary applications format, and while FIX tags are also included, this is not explicit FIX.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎06-23-2014 08:35 PM

Is this a FIX log format, by any chance...?
If so, have you seen this: http://apps.splunk.com/app/431/

0 Karma
Reply

lguinn2
Legend
‎06-23-2014 05:47 PM

Sorry but no. However, on the indexer (or search head), you could extract the field on the left of the equal sign with a field name like "fieldDefn" and extract the data on the right side of the equal sign with the name "fieldValue".

You could then use the fieldDefn field to do a lookup and come up with the string representation of the field name...

But what you would do after that depends on the purpose of your search or report.

0 Karma
Reply

tmarlette
Motivator
‎06-24-2014 08:40 AM

yeah but when I try that it doesn't work.

here is my RegEx for the capture:
(?\d+)=[^\s]+

This works in regexr, but not in splunk for some reason. Splunk only captures 2 of those fields with this extraction.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...