I have a log containing some commands like so:
SWFCMD_DNLK_LOG: WHICHLOG = CMD_LOG_IMDCMD, TIMERANGESTRT = 0, TIMERANGEEND = 2147483647, DNLNKPRIO = 1
IHFVIS_FW_ABS: FILTER_NUM = FILTER_4
Or in a more familiar syntax:
swfcmd_dnlk_log(whichlog=cmd_log_imdcmd, timerangestrt=0, timerangeend=20123, dnlinkprio=1)
I have another lookup table that looks like this:
function_name, function_description, parameter, parameter_description
swfcmd_dnlk_log dnlk_description_txt whichlog whichlog_description_text
swfcmd_dnlk_log dnlk_description_txt timerangestrt timerangestrt_description_text
etc...
What's the best way to perform the extraction and lookup?
Let Splunk do the KVP extraction automatically like this in props.conf
:
KV_MODE=auto_escaped
Then do the lookup like this
... lookup MYLOOKUP WHICHLOG AS parameter OUTPUT parameter_description
Or this:
... lookup MYLOOKUP WHICHLOG AS function_name OUTPUT function_description