I would like to extract and store data in a new fields so that I don't have to define a conditional statement each time I need to look for the data.
I have events that can contain 9 different types of information, depending on the name of the attribute "Type". I have composed the following search query that extracts one specific type out, and then renames the data under each section.
Unfortunately, this is not a permanent solution. When the session is over, the renaming is gone, because this is a search-time query.
How do I permanently add these fields to this index?
index=mdestats | search Type=scans_completed | rename Level4 as Critical_Scans_Completed | rename Level3 as High_Scans_Completed | rename Level2 as Medium_Scans_Completed | rename Level1 as Low_Scans_Completed
Case is a boolean evaluation, and that's not what I'm looking for.
From the example above, I want to return the value contained in Level*x* when the conditional statement Type="specified type" is true, and create a new field containing the value of Level*x* to add to that particular event.
Case is a boolean evaluation, and that's not what I'm looking for.
From the example above, I want to return the value contained in Level*x* when the conditional statement Type="specified type" is true, and create a new field containing the value of Level*x* to add to that particular event.
First of all, change index=mdestats | search Type=scans_completed
to index=mdestats Type=scans_completed
- not only is it shorter and easier to read, but also gives Splunk a lot more opportunity to speed things up.
As for your renames, you can define Field Aliases for your events that will stick without having to specify that list in every search. Go to Settings -> Fields -> Field Aliases and go nuts.
That's exactly what case(bool,val)
does, return val
if bool
is true.
Case is a boolean evaluation, and that's not what I'm looking for.
From the example above, I want to return the value contained in Level*x* when the conditional statement Type="specified type" is true, and create a new field containing the value of Level*x* to add to that particular event.
I'm hoping that the bottom search is the equivalent to the eval-based field that is defined... 🙂
Case-sensitivity checked, and the field is available to everyone across all apps.
Does the bottom search yielding thousands of hits have the Critical_Spf_Writes
field?
Also keep in mind, Type="spf_writes"
is case-sensitive.
Ok, I was able to define my eval-based fields, but when I search on them, I get no results.
Name: Critical_Spf_Writes
Eval expression: case(Type="spf_writes", Level4)
When I search:
Index=mdestats Critical_Spf_Writes>0, I get nothing after the search,
Index=mdestats Type=spf_writes Level4>0 gets thousands of hits over 3 days.
Am I searching this wrong?
You could define eval-based fields in the same vicinity of the Settings, something like this:
Name: Critical_Spf_Writes
Eval expression: case(Type="spf_writes", Level4)
Name: Critical_Spf_Reads
Eval expression: case(Type="spf_reads", Level4)
That's a bit cumbersome, but should work. You could also drop your pipeline of renames into a macro and reference that in every search to avoid losing it after your session. Additionally, you may be able to replace the field names entirely in the source data using some sed magic, what does the raw data look like?
Creating an alias to the field doesn't solve my problem
Each of my queries has a specific output:
Type=spf_writes | rename Level4 as Critical_Spf_Writes
Type=spf_reads | rename Level4 as Critical_Spf_Reads
Level 4 for one type is not the same as Level 4 for another. I can't change the input, so I need to extract each of these to a unique set based on the search criteria.