Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Changing an ID to a name

bazcurtis178
Explorer
‎12-23-2021 07:56 AM

Hi,

My search result brings back a GUID in the ID field. The GUID refers to a customer. I would like it to reflect the customers name. Can I make a Splunk search do this every time?

Best wishes

Michael

Labels (2)
Labels
0 Karma
Reply

bazcurtis178
Explorer
‎12-29-2021 03:36 AM

I have made some progress. I have setup an Automatic Lookup and this works on a search that I table, but not on a raw search. Is that the best I will get?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2021 05:18 AM

Using an automatic lookup was a good idea.  I don't understand what you mean by "raw search", however.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bazcurtis178
Explorer
‎12-29-2021 05:25 AM

If I make a Table the Automatic Lookup works. If I do a search for index="sophos_central" I see what I would call the raw data and that field is still the GUI.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2021 07:00 AM

Have you tried adding commands other than table after "index=sophos_central"?  Do any of them trigger the automatic lookup?  Do you see any error messages in the search log or in splunkd.log?

---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2021 07:21 AM

Have you tried additional SPL commands (following a |)?

Are you searching in Verbose Mode?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

bazcurtis178
Explorer
‎12-31-2021 01:23 AM

I think I have made some progress.

index="sophos_central" "Event::Endpoint::Application::Detected" | table name, endpoint_type, location, when, customer_id, sub_estate, group

That search gives me this which is correct.

Screenshot 2021-12-31 at 09.16.02.gif

I have now realised that I can add the sub_estate field from the Interesting Fields to the Selected Fields and that does what I want it to do. I can now see the sub_estate in every search.

Thanks for the help.

Reply

bazcurtis178
Explorer
‎12-30-2021 01:58 AM

I ran this search

index="sophos_central" "Event::Endpoint::Application::Detected"

and got the following result. This is the customer_id I wanted to change

Screenshot 2021-12-30 at 09.55.58.png

index=_internal sourcetype=splunkd didn't seem to show any errors

0 Karma
Reply

bazcurtis178
Explorer
‎12-29-2021 02:54 AM

Thanks for the reply. That has worked well. I was hoping it would replace the field in all searches, but I have managed to get it to work with this search

index="sophos_central" "Event::Endpoint::Application::Detected" | lookup sub_estate_lookups.csv customer_id OUTPUT Name | table name, endpoint_type, location, when, customer_id sub_estate, group

Is it possible to replace the field by default whenever it is found?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-23-2021 08:15 AM

Assuming the customer name is not available in another field, create a lookup table that maps GUID to name then make the lookup in your query.

If the lookup (I'll all it "guid2name.csv") looks like this:

GUID     Name
8a400b04-51f0-4c70-9340-cc7b9964e5ed  Foo
bab2f4c4-5278-4a52-a65c-8c8a287a7726  Bar

A query might look like this:

<your search for ID>
| lookup guid2name.csv GUID as ID OUTPUT Name
...

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...