Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Change value of field at index time based on condition

shayhibah
Path Finder
‎01-02-2020 01:26 AM

Hi,

I am wondering if its possible t change value of field based on condition at index time.

For example:

If the log contains field X with value XX, then in case field Y exists, change Y value to YY.

Thanks

Tags (1)
0 Karma
Reply

sanjeev543
Communicator
‎01-02-2020 04:22 AM

Why are you looking to change at index time ? Anyway, you have 2 options to replace Y with new value

1) using the Ingest-eval in transforms.conf
props.conf 

[my_sourcetype]
TRANSFORMS-y = change_y

transforms.conf 

[change_y]
INGEST_EVAL = y=if(x LIKE "%foo%","YY",'y')

But using this will override the other settings that you might have defined for this sourcetype at index time like REGEX,FORMAT..etc.
Please refer https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Transformsconf#transforms.conf.spec

2) Using the REGEX and FORMAT in transforms.conf to modify the _raw data itself

props.conf 

[my_sourcetype]
TRANSFORMS-y = change_xy

transforms.conf

[change_xy]
REGEX = (x.*foo\s+)y.*
DEST_KEY = _raw
FORMAT = $1ynew_value

Please write REGEX to match your X with value XX , this will match event with X having XX and replace with X and with the newvalue that you update in FORMAT

If you are considering to update the Y value at search time, please update your props.conf as below,

[my_sourcetype]
...
<your props configs>
....
EVAL-Y = if(x LIKE "%XX%","YY",'Y')
Reply

shayhibah
Path Finder
‎01-02-2020 05:43 AM

hi @sanjeev543

The reason I asked about index time is because I would like to change my values to the values Enterprise Security needs to get.

Is it possible to do this on search time and it will be OK for ES too?

0 Karma
Reply

sanjeev543
Communicator
‎01-03-2020 02:13 AM

Yes, if that's the only reason, please prefer using the search time and if you are able to solve the issue using my solution. Please mark the answer as accepted 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...