All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use dbx to lookup Ids?

plynch52
Explorer
‎04-03-2017 05:24 PM

I have a variable portion of a log file that is structured, all IDs are numeric. There are over 100K possible different IDs. It is not a fixed set of IDs, so coding individual field names doesn't work.
[id-1=cnt-1, id-2=cnt2, id-3=cnt3, ...,id-n=cnt-n]

this is parsed as
| rex field=stats max_match=100 "(?\d*=\d*)"

I want to replace the numeric id-n with a name from a table. I have the dbx lookup defined that provides
id-n, name.

Thanks from a newbie

Tags (1)
0 Karma
Reply

plynch52
Explorer
‎04-03-2017 06:14 PM

Thanks,
I goofed on copy the parse
rex field=stats max_match=100 "(? kvpair \d*=\d*)"
with angle brackets around kvpair

0 Karma
Reply

woodcock
Esteemed Legend
‎04-03-2017 05:57 PM

I usually start a search with |dbxquery and end it with | outputlookup MyLookup and schedule this to run every evening. Then I just use |lookup MyLookup in searches.

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...