Splunk Search

Translating string in search string

derekf
Explorer

In my search strings I often rename columns using "AS". Is there a way I can expose those as parameters so that when I generate a message.pot file they are included?

Or is it possible to define a macro or a .conf file that can be localized and then used in the search string?

Thanks

0 Karma

woodcock
Esteemed Legend

Yes, of course. Here is a macro definition that I use to normalize fields coming out of CIM searches:

[Normalize_CIM_Fieldnames]
definition = rename list(*) AS * values(*) AS *\
\
| rename COMMENT AS "START WITH CIM DMs"\
\
| rename Authentication.Failed_Authentication.* AS *\
| rename Authentication.Successful_Authentication.* AS *\
| rename Authentication.Default_Authentication.Failed_Default_Authentication.* AS *\
| rename Authentication.Default_Authentication.Successful_Default_Authentication.* AS *\
| rename Authentication.Default_Authentication.* AS *\
| rename Authentication.Insecure_Authentication.* AS *\
| rename Authentication.Privileged_Authentication.Failed_Privileged_Authentication.* AS *\
| rename Authentication.Privileged_Authentication.Successful_Privileged_Authentication.* AS *\
| rename Authentication.Privileged_Authentication.* AS *\
| rename Authentication.* AS *\
\
| rename All_Changes.Auditing_Changes.* AS *\
| rename All_Changes.Endpoint_Changes.Filesystem_Changes.* AS *\
| rename All_Changes.Endpoint_Changes.Registry_Changes.* AS *\
| rename All_Changes.Endpoint_Changes.Endpoint_Restarts.* AS *\
| rename All_Changes.Endpoint_Changes.Other_Endpoint_Changes.* AS *\
| rename All_Changes.Endpoint_Changes.* AS *\
| rename All_Changes.Network_Changes.Device_Restarts.* AS *\
| rename All_Changes.Network_Changes.* AS *\
| rename All_Changes.Account_Management.Created_Accounts.* AS *\
| rename All_Changes.Account_Management.Deleted_Accounts.* AS *\
| rename All_Changes.Account_Management.Locked_Accounts.* AS *\
| rename All_Changes.Account_Management.Updated_Accounts.* AS *\
| rename All_Changes.Account_Management.* AS *\
| rename All_Changes.* AS *\
\
| rename IDS_Attacks.Application_Intrustion_Detection.* AS *\
| rename IDS_Attacks.Host_Intrustion_Detection.* AS *\
| rename IDS_Attacks.Network_Intrustion_Detection.* AS *\
| rename IDS_Attacks.* AS *\
\
| rename Malware_Attacks.Allowed_Malware.* AS *\
| rename Malware_Attacks.Blocked_Malware.* AS *\
| rename Malware_Attacks.Quarantied.Malware.* AS *\
| rename Malware_Attacks.* AS *\
\
| rename All_Traffic.Traffic_By_Action.Allowed_Traffic.* AS *\
| rename All_Traffic.Traffic_By_Action.Blocked_Traffic.* AS *\
| rename All_Traffic.Traffic_By_Action.* AS *\
| rename All_Traffic.* AS *\
\
| rename Web.Proxy.* AS *\
| rename Web.* AS *\
\
| rename COMMENT AS "NOW DO CUSTOM DMs"
errormsg = Description: Author=Gregg Woodcock
iseval = 0
0 Karma

derekf
Explorer

Thank you for the response. I have not seen * used when renaming before. Do you think you would be able to explain this a little bit for me? Also, will this make the renamed columns exposed to the messages.pot file created when doing localization?

Thanks again.

0 Karma

derekf
Explorer

Nevermind, it is simply a wildcard.
rename All_Traffic.* AS * would just be rename All_Traffic.(field) AS (field)

Still not sure how I can extract what fields are renamed to so I can localized them though.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...