Splunk Search

Manipulating fields within a transaction

bcarr12
Path Finder

What would be the best way to go about manipulating fields within a transaction? For example, let's say I have the following transaction as part of my search to create a transaction:

"search text" source="mylog.log" | transaction maxpause=1s FieldA, FieldB, FieldC, FieldD

Within each transaction, there are additional fields that I use for creating alerts and reports. All of the logs have a descriptive field in them called FieldE. The problem is, sometimes FieldE is very specific and sometimes FieldE does not give me the information I need and requires an additional field, FieldF to get more information (I use a lookup table in both cases). In a normal case, I would put FieldE into a lookup table and output the DescriptionFieldE and be done.

In the cases where FieldE is not descriptive enough, I can use FieldF. FieldF is not present in every log in a transaction. At a high level, what I am trying to do is within each transaction:

If there is a value for FieldF, input it into a lookup table and output as DescriptionFieldF. Create a new field that has both the results of DescriptionFieldE and DescriptionFieldF. What is the best way to create a new field that is the combination of the results of several other fields? Basically something like:

NewField=DescriptionFieldE+DescriptionFieldF (the "results" of both these fields are words so I am not trying to actually add anything together, just combine the results into a single field)

0 Karma

lguinn2
Legend

You could do this using the concatenation operator:

| lookup fieldElookup FieldE output DescriptionFieldE
| lookup fieldFlookup FieldF output DescriptionFieldF
| eval newField=DescriptionFieldE . DescriptionFieldF
0 Karma

bcarr12
Path Finder

I gave this a shot and it doesn't seem to be working. I have a value for DescriptionFieldE and DescriptionFieldF, but if I do:

eval newfiled=DescriptionFieldE . DescriptionFieldF

It doesn't return any values? One thing I am unsure of, will this concatenation create one field with one result that has both descriptions in it? Or one field with two results?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...