I'd like to do a field extraction on these fields:
proto=udp/67
proto=tcp/http
proto=udp/9060
Should become
protocol/service
If the service ends up being something alphabetic like HTTP then I don't change it. If not I should do a lookup for the numeric value to /etc/services and get the service name.
I could extract the number and save it as the port_numer then do a lookup on that field. Would splunk care if I had a field called service that was populated both by an automatic lookup and by automatic field extraction?
That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number
) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number
to service, Splunk won't overwrite the service field or anything like that if it won't find a match.
That should be fine. The easiest thing would probably be to define two separate field extractions - one that looks for the protocol followed by a slash and a numeric value (port_number
) and another one that looks for an alphabetical + possibly numerical value instead (service). You can do a lookup from port_number
to service, Splunk won't overwrite the service field or anything like that if it won't find a match.
ok thanks. Good to know the internals.