Splunk Search

field extraction where the data may need a lookup

jalfrey
Communicator

I'd like to do a field extraction on these fields:

proto=udp/67
proto=tcp/http
proto=udp/9060

Should become
protocol/service

If the service ends up being something alphabetic like HTTP then I don't change it. If not I should do a lookup for the numeric value to /etc/services and get the service name.

I could extract the number and save it as the port_numer then do a lookup on that field. Would splunk care if I had a field called service that was populated both by an automatic lookup and by automatic field extraction?

Tags (3)
0 Karma
1 Solution

Ayn
Legend

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

View solution in original post

0 Karma

Ayn
Legend

That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number to service, Splunk won't overwrite the service field or anything like that if it won't find a match.

0 Karma

jalfrey
Communicator

ok thanks. Good to know the internals.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...