Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help on field renaming wich dont works
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help on field renaming wich dont works
jip31
Motivator
03-11-2020
11:57 PM
hi
I use the serch below wich match the data present in 2 indexes following by host
In LastLogonBoot, the field "host" is well called "host"
But in wire, the field "host" is in reality calles "USERNAME"
So i need to rename USERNAME by host in order to match the 2 indexes but it doenst works
I have tried this :
| rename USERNAME as host
| eval host=if(index=wire, USERNAME,host)
what is the problem please??
[| inputlookup host.csv
| table host
] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now
| fields host SystemTime EventCode USERNAME NAME
| lookup tutu.csv NAME as AP_NAME OUTPUT Building
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'")
| stats latest(SystemTime) as SystemTime by host EventCode
| xyseries host EventCode SystemTime
| rename "6005" as LastLogon "6006" as LastReboot
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0)
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M")
| lookup toto.csv HOSTNAME as host output SITE
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host
| sort -"Days without reboot"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-12-2020
06:04 AM
Hi @jip31,
You need to rename field in macro: wire definition. Add below query in macro `wire` search query.
| eval host = USERNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-13-2020
04:41 AM
Hi
it doesnt works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-13-2020
04:47 AM
Can you provide macro `wire` query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-13-2020
05:14 AM
index="wineventlogfr" sourcetype=WinEventLog (EventCode=6005 OR EventCode=6006)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
03-13-2020
09:12 AM
If you have values for USERNAME field in `wire` then how come eval is not working?
| eval host = USERNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-16-2020
07:49 AM
i would like to understand....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gaurav_maniar
Builder
03-12-2020
06:02 AM
Hi,
please try the below updated query,
[| inputlookup host.csv
| table host
] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now
| eval host = if(index="wire", USERNAME, host)
| fields host SystemTime EventCode NAME
| lookup tutu.csv NAME as AP_NAME OUTPUT Building
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'")
| stats latest(SystemTime) as SystemTime by host EventCode
| xyseries host EventCode SystemTime
| rename "6005" as LastLogon "6006" as LastReboot
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0)
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M")
| lookup toto.csv HOSTNAME as host output SITE
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host
| sort -"Days without reboot"
accept and up-vote the answer if it helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-13-2020
04:45 AM
Hi
no results...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-17-2020
11:36 PM
Is anybody can help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
03-12-2020
05:59 AM
@jip31, in the above the search, on which line you are trying rename/condition?
If you do not have a host value in the events from wire, probably try host=coalesce(host,USERNAME) after line 4
Happy Splunking!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
03-13-2020
04:39 AM
hi
I try after line 3
I tried your proposal but it doesnt works
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
