Solved: Field transformation

LauraBre · ‎07-04-2012

hello,

I have this following log in Splunk:

RS:D2T,PAN:1/1,Req:fr18126,User:a169805,TKN:g00e29dfd883effecba,H:W60080,SN:UTKBENCH,RC:000,TIME:180ms

I create a field RC which correspond and now I want to associate to each value of RC a value in splunk. For example I want to say where RC=000 the value is "ok". I know that I can add in my search "eval serieRC=case("RC=000,"ok",...)" but there are a lot of values and if there are a new value later, I have to modify all my search which take account this field to associate a new value. So I want to know if there is an other solution to this problem. I saw that there is "field transformation" but I don't understand very well how associate a value X to a value Y which is in the log for the field "RC".

Thanks by advance to your help.

Laura

rturk · ‎07-04-2012

The answer to your problem is the use of lookup tables. There is an excellent example/tutorial on their use here: http://docs.splunk.com/Documentation/Splunk/latest/User/Fieldlookupstutorial.

This way you can just add new values to the lookup files later without having to change your saved search.

Hope this helps 🙂

View solution in original post

rturk · ‎07-04-2012

The answer to your problem is the use of lookup tables. There is an excellent example/tutorial on their use here: http://docs.splunk.com/Documentation/Splunk/latest/User/Fieldlookupstutorial.

This way you can just add new values to the lookup files later without having to change your saved search.

Hope this helps 🙂

LauraBre · ‎07-05-2012

Thx very much for your answer. I look this and try to use that.

Field transformation

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life