- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search and rename as permanent fields in index?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search and rename as permanent fields in index?
I would like to extract and store data in a new fields so that I don't have to define a conditional statement each time I need to look for the data.
I have events that can contain 9 different types of information, depending on the name of the attribute "Type". I have composed the following search query that extracts one specific type out, and then renames the data under each section.
Unfortunately, this is not a permanent solution. When the session is over, the renaming is gone, because this is a search-time query.
How do I permanently add these fields to this index?
index=mdestats | search Type=scans_completed | rename Level4 as Critical_Scans_Completed | rename Level3 as High_Scans_Completed | rename Level2 as Medium_Scans_Completed | rename Level1 as Low_Scans_Completed
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Case is a boolean evaluation, and that's not what I'm looking for.
From the example above, I want to return the value contained in Level*x* when the conditional statement Type="specified type" is true, and create a new field containing the value of Level*x* to add to that particular event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Case is a boolean evaluation, and that's not what I'm looking for.
From the example above, I want to return the value contained in Level*x* when the conditional statement Type="specified type" is true, and create a new field containing the value of Level*x* to add to that particular event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, change index=mdestats | search Type=scans_completed to index=mdestats Type=scans_completed - not only is it shorter and easier to read, but also gives Splunk a lot more opportunity to speed things up.
As for your renames, you can define Field Aliases for your events that will stick without having to specify that list in every search. Go to Settings -> Fields -> Field Aliases and go nuts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's exactly what case(bool,val) does, return val if bool is true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Case is a boolean evaluation, and that's not what I'm looking for.
From the example above, I want to return the value contained in Level*x* when the conditional statement Type="specified type" is true, and create a new field containing the value of Level*x* to add to that particular event.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm hoping that the bottom search is the equivalent to the eval-based field that is defined... 🙂
Case-sensitivity checked, and the field is available to everyone across all apps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the bottom search yielding thousands of hits have the Critical_Spf_Writes field?
Also keep in mind, Type="spf_writes" is case-sensitive.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, I was able to define my eval-based fields, but when I search on them, I get no results.
Name: Critical_Spf_Writes
Eval expression: case(Type="spf_writes", Level4)
When I search:
Index=mdestats Critical_Spf_Writes>0, I get nothing after the search,
Index=mdestats Type=spf_writes Level4>0 gets thousands of hits over 3 days.
Am I searching this wrong?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could define eval-based fields in the same vicinity of the Settings, something like this:
Name: Critical_Spf_Writes
Eval expression: case(Type="spf_writes", Level4)
Name: Critical_Spf_Reads
Eval expression: case(Type="spf_reads", Level4)
That's a bit cumbersome, but should work. You could also drop your pipeline of renames into a macro and reference that in every search to avoid losing it after your session. Additionally, you may be able to replace the field names entirely in the source data using some sed magic, what does the raw data look like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating an alias to the field doesn't solve my problem
Each of my queries has a specific output:
Type=spf_writes | rename Level4 as Critical_Spf_Writes
Type=spf_reads | rename Level4 as Critical_Spf_Reads
Level 4 for one type is not the same as Level 4 for another. I can't change the input, so I need to extract each of these to a unique set based on the search criteria.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
