- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- column name updated how to keep both query results...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
column name updated how to keep both query results ini same dashboard
Hi,
index="spectrum" * | eval foo=_cd | rename "ns1.alarm.ns1.attribute{}.$" as value "ns1.alarm.ns1.attribute{}.@id" as attr | table _time foo attr value| eval id=_cd | eval value=mvzip(attr,value) | mvexpand value | eval attr=mvindex(split(value,","),0) | eval value=mvindex(split(value,","),1) | lookup attr_alarm_spectrum.csv attr OUTPUT field | table _time,field,value,foo | fillnull field,value,foo | eval {field}=value | fields - field,value | stats values(*) as * by _time,foo | fields - foo | eval Severity=if(Severity="3","Critical",if(Severity="2","Major","Minor")) | search Severity=Minor (Name="***" OR IP="*") | lookup State_of_the_Asset_List_on_Unicorn.csv Ip as IP output "Infrastrucure Name" | table _time, Severity,Name,IP,Secure_Domain,Type,Title,Landscape,Acknowledged,Ticket_ID "Infrastrucure Name" | sort -_time
In this query i was using ns1.alarm.ns1.attribute{} and ns1.alarm.ns1.attribute{}.@id but now due to the tool upgrade the json data which am receiving has got changed to alarms.attribute{} and alarm.attribute{}.@id. So if i go ahead and update this query then post upgrade data is only visible but not before upgrade as the column names were different.
So what do you suggest here to do ? to be able to see all the data with same 1st query ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of the 'rename' command, you can use 'if' and 'isnotnull' function as shown below to get data from both the fields.
index="spectrum" *
| eval foo=_cd
| eval value=if(isnotnull(ns1.alarm.ns1.attribute{}),ns1.alarm.ns1.attribute{},alarms.attribute{})
| eval attr=if(isnotnull(ns1.alarm.ns1.attribute{}.@id),ns1.alarm.ns1.attribute{}.@id,alarm.attribute{}.@id)
| table _time foo attr value
| ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jawaharas,
My queries are working perfect. Its just that with ns1.alarm.ns1.attribute data is coming previous to 18th july and with alarm.attribut data is coming post 18th July. As after upgrade of the tool the names got changed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the suggested query. It should return data from both the fields (before and after the date you mentioned)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@surekhasplunk
Can you accept the answer if it's helped you? Thanks.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
