- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Is it possible to add a field that has a relation ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it possible to add a field that has a relation to a fieldvalue/source value?
Is it possible to add an field that has a relation to a fieldvalue/source value? I am trying to make a simple dashboard panel with an overview of all the different sources that are in the index. For example :
source:
Test
Flow
Jobs
What I would like is an extra column with values that don't exist in the index.
Example:
source: description:
Test testcases etc.
Flow flow etc.etc.
Jobs jobs etc. etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can use a CSV lookup describe in:
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/ConfigureCSVlookups
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on how automatic you want it, you can either code it as a case statement, or a lookup file, The lookup file can be either manual, or automatic.
With the lookup file, you create a single CSV file that has the cross reference, and then you (manually) include the lookup code to turn the real field into a descriptive field using the lookup, or you set the lookup to b automatic so that the result field will be automatically available for all searches.
Let us know if you need more specifics than that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a field and assign a value for each case (if you want to hardcode it):
| eval description=case(
source == "Test", "testcases",
source == "Flows", "flow",
source == "Jobs", "job")
Otherwise use lookup like specified above by @somesoni2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can create a field and assign a value for each case (if you want to hardcode it):
| eval description=case(
source == "Test", "testcases",
source == "Flows", "flow",
source == "Jobs", "job")
Otherwise use lookup like specified above by @somesoni2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Mike6960 lookup file would be the best option, however, if you want to convert hard-coded | eval to a knowledge object for easy maintenance and re-usability you can create a Macro which takes source as input and returns description as output. If source field is extracted as search time field you can also create Calculated Field as another option to persist the eval as knowledge object.
Following is the sample macro definition for macro getDescriptionForSource to be saved in macros.conf under your Splunk App's local directory i.e. $SPLUNK_HOME/etc/apps/<yourAppName>/appserver/static:
[getDescriptionForSource]
definition = eval description=case(\
source == "Test", "testcases",\
source == "Flows", "flow",\
source == "Jobs", "job",\
true(),source)
iseval = 0
Following is a run anywhere search example:
| makeresults
| fields - _time
| eval data="Test,20;Flows,10;Jobs,3"
| makemv data delim=";"
| mvexpand data
| makemv data delim=","
| eval source=mvindex(data,0), count=mvindex(data,1)
| fields - data
| `getDescriptionForSource`
| table source description count
PS: If any of the description is not defined for corresponding source the macro will return the source name using true() condition.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@niketnilay thank you for your extensive answer and explanation. I am afraid its a bit to complex for me but again thanks anyway
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@damien_chillet, thanks it works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Glad you found something that works for you!
I've converted my comment to an answer.
Could you please accept it so the question can be marked as closed?
Have a nice day and happy Splunking! (:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the description is static for a source, you can create a lookup table file with source and corresponding description and do the lookup in your search.
Lookup: source_desc.csv with fields source, description
http://docs.splunk.com/Documentation/Splunk/7.0.3/Knowledge/Usefieldlookupstoaddinformationtoyoureve...
Search:
your current search giving field source
| lookup source_desc.csv source OUTPUT description
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2 thanks for your answer. In this case I will try and use the way damien_chillet suggests but the look-up option is surely something i will try/use in the future
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
