Hi,
I don't know if this is the right way to do it, but I have a list of COMMANDS which I have associated a Classification (name).
This search gives me a table with PID, COMMAND count and Classification and some of those results in the field Classification have blanks in it.
sourcetype=top COMMAND | multikv | rex field=COMMAND "^(?.+?)\/" | rex field=COMMAND "^(?.+?)_" | dedup COMMAND | stats count by PID, COMMAND | lookup command_lookup.csv COMMAND AS COMMAND OUTPUT Classification AS Classification | eval Classification=if(isnull(Classification),command_lookup.csv,Classification)
What I am trying is to let Splunk write "NULL" in that field if it doesn't find a match in the lookup file.Can anybody help me here?
thanks in advance.
regards
Mike
Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf
and setting a default match there. A stanza similar to this should do it.
[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL
Now your lookup
command in your search changes to:
... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification
Since the stanza defines the filename
One approach for post-processing exclusively in the search language is eval
and its coalesce
command. You can do something like this:
| eval Classification=coalesce(Classification,'NULL')
The coalesce
command returns the first non-empty value among its arguments.
Well, if I understand the question properly, your goal is to have a lookup table return a default value if the key does not exist in the lookup. One way to accomplish this is by defining the lookup in transforms.conf
and setting a default match there. A stanza similar to this should do it.
[command_lookup]
filename=command_lookup.csv
min_matches = 1
default_match = NULL
Now your lookup
command in your search changes to:
... | lookup command_lookup COMMAND AS COMMAND OUTPUT Classification AS Classification
Since the stanza defines the filename
One approach for post-processing exclusively in the search language is eval
and its coalesce
command. You can do something like this:
| eval Classification=coalesce(Classification,'NULL')
The coalesce
command returns the first non-empty value among its arguments.
Here is a tutorial on how to setup a lookup. It can be done entirely from the Splunk GUI.
http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/Usefieldlookups
Hi dwaddle, thanks for your feedback. Unfortunately I am not familiar with the stanza setup and in addition to that I have limited access (web interface only).
I would appreciate a search command solution.