I would like to do this permanently but let us try it on the command line first.
command:
source="C:\\..." | rex "^(?<client_ip>[0-9\.]+) (?<user>[0-9\-]*) (?<profile>[0-9\-]*) (?<timestamp>\[[^\]]+\]) (?<url>\"[^\"]+\") (?<http_status>[0-9\-]+) (?<bytes>[0-9\-]+) (\"[^\"]+\") (?<user_agent>\"[^\"]+\") (?<processing_time>[0-9\-]+) (?<registrant>\"[^\"]+\") (?<forward_for>[0-9\.\-]+)" | lookup registrant.csv registrant
input, apache custom log
1.1.1.1 - - [24/Apr/2013:16:10:08 +0200] "GET /someurl HTTP/1.1" 200 278356 "-" "some useragent" 123 "9999" 111.222.333.444
Lookup file:
registrant,fullname
9999,John Doe
7777,Jane Doe
where do I save registrant.csv? I put it in \etc\apps\search\local and \etc\system\lookups
where would I see John Doe in the output if the above worked?
UPDATE
So I tried the suggestion given.
In etc\system\lookups\registrants.csv I have
applicationid,username,email
0,Anonymous,
1234,John Doe,johndoe@xxx.com
4321,Jane Doe,janedoe@xxx.com
in \etc\system\local\props.conf I have
[registrants]
EXTRACT-fields=^(?<client_ip>[0-9\.]+) (?<user>[0-9\-]*) (?<profile>[0-9\-]*) (?<timestamp>\[[^\]]+\]) (?<url>\"[^\"]+\") (?<http_status>[0-9\-]+) (?<bytes>[0-9\-]+) (\"[^\"]+\") (?<user_agent>\"[^\"]+\") (?<processing_time>[0-9\-]+) (?<applicationid>\"[^\"]+\") (?<forward_for>[0-9\.\-]+)
LOOKUP-applicationid=registrants username
in \etc\system\local\transforms.conf I have
[registrants]
filename = registrants.csv
I am now getting error on all searches: The lookup table 'registrant' does not exist. It is referenced by configuration 'combined_wcookie'. which I have no idea how to get rid of :(((
UPDATE
The documentation is not clear. It uses the same names for the source file fields and the csv.
I am now a bit further - one issue is that the csv is forced by splunk to be numeric values since the field I am testing happens to be a number. In the log file it is a string so I have to extract it without quotes.
I now extract ONE (1) record out of many. It is not encouraging...
... View more