Solved: Re: What is the best query for retrieving a field ...

jip31 · ‎12-18-2018

hello,

I use the WMI below

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Error"

and i have to retrieve a specific field.

The problem is that this field is sometimes in French, sometimes in English and sometimes in german
for example :

french : chemin de l'application défaillante
english : faulting application path
german : pfad der fehlerhaften anwendung

is there a solution for having the log in a same language?

If not, what is the best query for retrieving the field no matter the language is??

thanks

whrg · ‎12-18-2018

Hello @jip31,

I couldn't find any translation rules in the Splunk Add-on for Microsoft Windows. So I think you will have to do the translation yourself.

You could use the coalesce eval function to create one common field for all languages. Assuming your available field are named faulting_application_path, chemin_de_lapplication_defaillante and pfad_der_fehlerhaften_anwendung:

eval faulting_application_path=coalesce(faulting_application_path,chemin_de_lapplication_defaillante,pfad_der_fehlerhaften_anwendung)

View solution in original post

macadminrohit · ‎12-18-2018

Is splunk not automatically identifying the field names for you ?

whrg · ‎12-18-2018

Hello @jip31,

I couldn't find any translation rules in the Splunk Add-on for Microsoft Windows. So I think you will have to do the translation yourself.

You could use the coalesce eval function to create one common field for all languages. Assuming your available field are named faulting_application_path, chemin_de_lapplication_defaillante and pfad_der_fehlerhaften_anwendung:

eval faulting_application_path=coalesce(faulting_application_path,chemin_de_lapplication_defaillante,pfad_der_fehlerhaften_anwendung)

jip31 · ‎12-19-2018

hello
I done this but I think it counts only the "Chemin d’accès de l’application défaillante" events
is is true?

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Error" | dedup _time | eval faulting_application_path=coalesce("Faulting application path","Chemin d’accès de l’application défaillante","Pfad der fehlerhaften Anwendung") | stats count by "Chemin d’accès de l’application défaillante" | rename "Chemin d’accès de l’application défaillante" as Application, count as Errors | sort -Errors limit=10

I need to count all the item in coalesce so i need something like this

| eval test=coalesce("Faulting application path","Chemin d’accès de l’application défaillante","Pfad der fehlerhaften Anwendung") 
| stats count by test

whrg · ‎12-19-2018

It can be tricky to work with fields which contain spaces in the field name.
I think you need to use single quotation marks:

| eval faulting_application_path=coalesce('Faulting application path','Chemin d’accès de l’application défaillante','Pfad der fehlerhaften Anwendung')
| stats count as Errors by faulting_application_path

jip31 · ‎12-20-2018

thanks perfect
last question : i do the same thing for another sourcename but it doesnt works. could you help me please??

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Hang"
| dedup _time
| eval 'Application Path'=coalesce('Application Path','Chemin d’accès de l’application','Anwendungspfad')
| stats count as Errors by 'Application Path'
| rename 'Application Path' as Application
| sort -Errors limit=10

jip31 · ‎12-21-2018

perfect! thanks

whrg · ‎12-21-2018

I think it needs to be
| eval "Application Path" = ...
and
| stats count as Errors by "Application Path"
and
| rename "Application Path" as Application

Spaces in field names can be really tricky. Better do
eval Application_Path = ...
to avoid spaces.

What is the best query for retrieving a field name in different languages?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases