topic Re: How do you get a description field with the output result fields? in Splunk Search

How do you get a description field with the output result fields?

vrmandadi — Tue, 29 Sep 2020 23:16:56 GMT

I have the below query

index=main AND sourcetype="abc" AND id=* AND ((state="terminated" AND image.attributes.name!="emr*") OR private_ip_address!=null) 
| eval time=strftime(_time,"%d/%m/%Y %H:%M:%S") 
| eval state = if(state=="terminated", state, null()) 
| eval node=aws_account_id 
| eval resource="Instance Termination" 
| eval type="Instance Terminated" 
| eval severity=1 
| stats values(private_ip_address) AS private_ip_address values(state) AS state BY id image.attributes.name 
| mvexpand private_ip_address 
| search state=terminated 
| search private_ip_address!=null

This gives the correct output with id image.attributes.name private_ip_address state. Now I want to have a description field that will change according to the results, but it's not populating because of the stats command running before this. How can we modify the search to result this output?

| eval description="The instance : ". image.attributes.name . " with id:" .id. " has status " .state . "with ip" .private_ip_address. " at ". time

Thanks

Re: How do you get a description field with the output result fields?

lakshman239 — Thu, 14 Feb 2019 17:16:38 GMT

did you try to add your |eval description before stats?. Also you would need to add 'description' in your stats by clause

Re: How do you get a description field with the output result fields?

vrmandadi — Thu, 14 Feb 2019 17:23:46 GMT

Yes I did but no luck

Re: How do you get a description field with the output result fields?

vnravikumar — Thu, 14 Feb 2019 17:55:31 GMT

Hi @vrmandadi

Try like

your query.. | stats values(private_ip_address) AS private_ip_address values(state) AS state BY id image.attributes.name 
| eval temp= mvzip(private_ip_address, state) 
| mvexpand temp
| rex field=temp "(?<private_ip_address>[^\,]+)\,(?<state>[^\,]+)"
| eval description="The instance : ". image.attributes.name . " with id:" .id. " has status " .state . "with ip" .private_ip_address. " at ". time

Re: How do you get a description field with the output result fields?

vrmandadi — Thu, 14 Feb 2019 18:32:35 GMT

I got it using + between each field worked

index=main AND sourcetype="aws:description" AND id=* AND ((state="terminated" AND image.attributes.name!="emr*") OR private_ip_address!=null) 
 | eval time=strftime(_time,"%d/%m/%Y %H:%M:%S")
| eval state = if(state=="terminated", state, null()) 
|stats latest(state) as state  , values(private_ip_address) as private_ip_address , latest(time) as time  by id image.attributes.name aws_account_id |rename image.attributes.name as name | mvexpand private_ip_address 
| search state=terminated 
| search private_ip_address!=null
| eval node=aws_account_id 
| eval resource="Instance Termination" 
| eval type="Instance Terminated" 
| eval severity=1
| eval description="The instance:" + name + " with id:" + id + " has status: " + state + " with ip: " + private_ip_address + " at time: " + time

Re: How do you get a description field with the output result fields?

vrmandadi — Thu, 14 Feb 2019 18:33:21 GMT

I tried this but it did not work

Re: How do you get a description field with the output result fields?

woodcock — Mon, 18 Feb 2019 22:54:43 GMT

No, no, no. Do not use + for concatenation because its primary function is addition and if any of your variables ever has a number in it, you will generate a NaN error. switch back to using . but make sure that you have spaces on each side of each period.