Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to apply a field lookup to any field name match in all sourcetypes

cheganbm
Explorer
‎07-22-2014 04:18 AM

Hi,

we have a series of indexes, storing different data structures (each with its own sourcetype) that have in them a series of fields that are common.

We wanted to have a single point of reference in the system for translations. We thought of having a specific app that has this information and applies all the configured translations in any other app, regardless of the index and or sourcetype displayed.

We thought of something like this. Inside a app, in the default section we create the following stanzas.

In the transforms.conf we add, in the standard way, the possible translations.

[glbl_common_field_a_dcdng]
default_match = "Unknown"
filename = glbl_common_field_a_dcdng.csv
min_matches = 1

[glbl_common_field_b_dcdng]
default_match = "Unknown"
filename = glbl_common_field_b_dcdng.csv
min_matches = 1

(...)

[glbl_common_field_z_dcdng]
default_match = "Unknown"
filename = glbl_common_field_z_dcdng.csv
min_matches = 1

and in the props.conf, we set a stanza with some sort of accepted wildcard that automates any possible translation. Something like below:


[*]
LOOKUP-auto_glbl_common_field_a_dcdng = glbl_common_field_a_dcdng field_a OUTPUT decode_output AS field_a_decoded
LOOKUP-auto_glbl_common_field_b_dcdd = glbl_common_field_b_dcdng field_b OUTPUT decode_output AS field_b_decoded
(...)
LOOKUP-auto_glbl_common_field_z_dcdd = glbl_common_field_z_dcdng field_z OUTPUT decode_output AS field_z_decoded

Would this work? Is there another (more efficient) way to do this?

Thanks

Tags (1)
0 Karma
Reply

strive
Influencer
‎07-22-2014 05:01 AM

In my case we have not used any props.conf.

We have a common app, in that app's local directory we define stanzas for CSV files, like how you have done. In lookups directory we have all our CSV files. We use the lookups in other apps. One thing that should do is to push the common app to all the nodes where you need that lookup.

For example: I have commonAPP which contains CSV files. I have idxAPP, shAPP which reside on indexer node and search head node respectively and i want to do lookups in the searches/macros that i have in idxAPP and shAPP then i need to deploy commonAPP to indexer and search head nodes also.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...