Solved: substitute a value in results

arapozo · ‎04-06-2011

In windows events on a lot of cases you get a result code from them in hex notation, then you have to look them up and see what each hex means. Is there any way to change the hex to a meaningful expression by substituting the hex code with its meaning? Preferably at search time.

dwaddle · ‎04-06-2011

Yes, you can use a lookup table for this. Some work has been done in this area already by ftk, and packaged into an app. Could http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Windows+Event+Codes+Lookup help you?

View solution in original post

dwaddle · ‎04-06-2011

Yes, you can use a lookup table for this. Some work has been done in this area already by ftk, and packaged into an app. Could http://splunkbase.splunk.com/apps/All/4.x/Add-On/app:Windows+Event+Codes+Lookup help you?

dwaddle · ‎04-07-2011

It should yes, lookups are applied at search time. See http://www.splunk.com/base/Documentation/latest/Knowledge/Addfieldsfromexternaldatasources for more information on lookups.

arapozo · ‎04-07-2011

Will this work with my already indexed data?

substitute a value in results

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases