Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract key/value parameters and issue lookup?

vhwang
New Member
‎10-18-2011 10:07 AM

I have a log containing some commands like so:

SWFCMD_DNLK_LOG:  WHICHLOG = CMD_LOG_IMDCMD, TIMERANGESTRT = 0, TIMERANGEEND = 2147483647, DNLNKPRIO = 1
IHFVIS_FW_ABS:  FILTER_NUM = FILTER_4

Or in a more familiar syntax:
swfcmd_dnlk_log(whichlog=cmd_log_imdcmd, timerangestrt=0, timerangeend=20123, dnlinkprio=1)

I have another lookup table that looks like this:

function_name, function_description, parameter, parameter_description
swfcmd_dnlk_log  dnlk_description_txt  whichlog   whichlog_description_text
swfcmd_dnlk_log  dnlk_description_txt  timerangestrt timerangestrt_description_text
etc...

What's the best way to perform the extraction and lookup?

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎05-29-2015 03:41 PM

Let Splunk do the KVP extraction automatically like this in props.conf:

KV_MODE=auto_escaped

Then do the lookup like this

... lookup MYLOOKUP WHICHLOG AS parameter  OUTPUT parameter_description

Or this:

... lookup MYLOOKUP WHICHLOG AS function_name OUTPUT function_description
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...