Re: Help on field renaming wich dont works

jip31 · ‎03-11-2020

hi
I use the serch below wich match the data present in 2 indexes following by host
In LastLogonBoot, the field "host" is well called "host"
But in wire, the field "host" is in reality calles "USERNAME"
So i need to rename USERNAME by host in order to match the 2 indexes but it doenst works
I have tried this :
| rename USERNAME as host
| eval host=if(index=wire, USERNAME,host)
what is the problem please??

[| inputlookup host.csv 
    | table host 
        ] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now 
| fields host SystemTime EventCode USERNAME NAME 
| lookup tutu.csv NAME as AP_NAME OUTPUT Building 
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
| stats latest(SystemTime) as SystemTime by host EventCode 
| xyseries host EventCode SystemTime 
| rename "6005" as LastLogon "6006" as LastReboot 
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
| lookup toto.csv HOSTNAME as host output SITE 
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host 
| sort -"Days without reboot"

manjunathmeti · ‎03-12-2020

Hi @jip31,

You need to rename field in macro: wire definition. Add below query in macro `wire` search query.

| eval host = USERNAME

jip31 · ‎03-13-2020

Hi
it doesnt works

manjunathmeti · ‎03-13-2020

Can you provide macro `wire` query?

jip31 · ‎03-13-2020

index="wineventlogfr" sourcetype=WinEventLog (EventCode=6005 OR EventCode=6006)

manjunathmeti · ‎03-13-2020

If you have values for USERNAME field in `wire` then how come eval is not working?

| eval host = USERNAME

jip31 · ‎03-16-2020

i would like to understand....

gaurav_maniar · ‎03-12-2020

Hi,

please try the below updated query,

[| inputlookup host.csv 
     | table host 
         ] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now 
 | eval host = if(index="wire", USERNAME, host)
 | fields host SystemTime EventCode NAME 
 | lookup tutu.csv NAME as AP_NAME OUTPUT Building 
 | eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
 | stats latest(SystemTime) as SystemTime by host EventCode 
 | xyseries host EventCode SystemTime 
 | rename "6005" as LastLogon "6006" as LastReboot 
 | eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
 | eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
 | lookup toto.csv HOSTNAME as host output SITE 
 | stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host 
 | sort -"Days without reboot"

accept and up-vote the answer if it helps.

jip31 · ‎03-13-2020

Hi
no results...

jip31 · ‎03-17-2020

Is anybody can help?

renjith_nair · ‎03-12-2020

@jip31, in the above the search, on which line you are trying rename/condition?
If you do not have a host value in the events from wire, probably try host=coalesce(host,USERNAME) after line 4

---
What goes around comes around. If it helps, hit it with Karma 🙂

jip31 · ‎03-13-2020

hi
I try after line 3
I tried your proposal but it doesnt works

Help on field renaming wich dont works

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!