- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is the best query for retrieving a field name...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello,
I use the WMI below
index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Error"
and i have to retrieve a specific field.
The problem is that this field is sometimes in French, sometimes in English and sometimes in german
for example :
french : chemin de l'application défaillante
english : faulting application path
german : pfad der fehlerhaften anwendung
is there a solution for having the log in a same language?
If not, what is the best query for retrieving the field no matter the language is??
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jip31,
I couldn't find any translation rules in the Splunk Add-on for Microsoft Windows. So I think you will have to do the translation yourself.
You could use the coalesce eval function to create one common field for all languages. Assuming your available field are named faulting_application_path, chemin_de_lapplication_defaillante and pfad_der_fehlerhaften_anwendung:
eval faulting_application_path=coalesce(faulting_application_path,chemin_de_lapplication_defaillante,pfad_der_fehlerhaften_anwendung)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is splunk not automatically identifying the field names for you ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jip31,
I couldn't find any translation rules in the Splunk Add-on for Microsoft Windows. So I think you will have to do the translation yourself.
You could use the coalesce eval function to create one common field for all languages. Assuming your available field are named faulting_application_path, chemin_de_lapplication_defaillante and pfad_der_fehlerhaften_anwendung:
eval faulting_application_path=coalesce(faulting_application_path,chemin_de_lapplication_defaillante,pfad_der_fehlerhaften_anwendung)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
I done this but I think it counts only the "Chemin d’accès de l’application défaillante" events
is is true?
index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Error"
| dedup _time
| eval faulting_application_path=coalesce("Faulting application path","Chemin d’accès de l’application défaillante","Pfad der fehlerhaften Anwendung")
| stats count by "Chemin d’accès de l’application défaillante"
| rename "Chemin d’accès de l’application défaillante" as Application, count as Errors
| sort -Errors limit=10
I need to count all the item in coalesce so i need something like this
| eval test=coalesce("Faulting application path","Chemin d’accès de l’application défaillante","Pfad der fehlerhaften Anwendung")
| stats count by test
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It can be tricky to work with fields which contain spaces in the field name.
I think you need to use single quotation marks:
| eval faulting_application_path=coalesce('Faulting application path','Chemin d’accès de l’application défaillante','Pfad der fehlerhaften Anwendung')
| stats count as Errors by faulting_application_path
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks perfect
last question : i do the same thing for another sourcename but it doesnt works. could you help me please??
index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Hang"
| dedup _time
| eval 'Application Path'=coalesce('Application Path','Chemin d’accès de l’application','Anwendungspfad')
| stats count as Errors by 'Application Path'
| rename 'Application Path' as Application
| sort -Errors limit=10
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect! thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it needs to be
| eval "Application Path" = ...
and
| stats count as Errors by "Application Path"
and
| rename "Application Path" as Application
Spaces in field names can be really tricky. Better do
eval Application_Path = ...
to avoid spaces.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
