topic Re: column name updated how to keep both query results ini same dashboard in Splunk Search

column name updated how to keep both query results ini same dashboard

surekhasplunk — Wed, 31 Jul 2019 06:52:43 GMT

Hi,

index="spectrum"  * | eval foo=_cd | rename "ns1.alarm.ns1.attribute{}.$" as value "ns1.alarm.ns1.attribute{}.@id" as attr | table _time foo attr value| eval id=_cd | eval value=mvzip(attr,value) | mvexpand value | eval attr=mvindex(split(value,","),0) | eval value=mvindex(split(value,","),1) | lookup attr_alarm_spectrum.csv attr OUTPUT field | table _time,field,value,foo | fillnull field,value,foo  | eval {field}=value | fields - field,value | stats values(*) as * by _time,foo | fields - foo  | eval Severity=if(Severity="3","Critical",if(Severity="2","Major","Minor")) | search Severity=Minor (Name="***" OR IP="*")  | lookup  State_of_the_Asset_List_on_Unicorn.csv Ip as IP output  "Infrastrucure Name" | table _time, Severity,Name,IP,Secure_Domain,Type,Title,Landscape,Acknowledged,Ticket_ID "Infrastrucure Name" | sort -_time

In this query i was using ns1.alarm.ns1.attribute{} and ns1.alarm.ns1.attribute{}.@id but now due to the tool upgrade the json data which am receiving has got changed to alarms.attribute{} and alarm.attribute{}.@id. So if i go ahead and update this query then post upgrade data is only visible but not before upgrade as the column names were different.

So what do you suggest here to do ? to be able to see all the data with same 1st query ?

Re: column name updated how to keep both query results ini same dashboard

jawaharas — Wed, 31 Jul 2019 07:51:16 GMT

Instead of the 'rename' command, you can use 'if' and 'isnotnull' function as shown below to get data from both the fields.

index="spectrum" * 
| eval foo=_cd 
| eval value=if(isnotnull(ns1.alarm.ns1.attribute{}),ns1.alarm.ns1.attribute{},alarms.attribute{})
| eval attr=if(isnotnull(ns1.alarm.ns1.attribute{}.@id),ns1.alarm.ns1.attribute{}.@id,alarm.attribute{}.@id)
| table _time foo attr value 
| ...

Re: column name updated how to keep both query results ini same dashboard

surekhasplunk — Wed, 31 Jul 2019 08:16:24 GMT

Hi @jawaharas,

My queries are working perfect. Its just that with ns1.alarm.ns1.attribute data is coming previous to 18th july and with alarm.attribut data is coming post 18th July. As after upgrade of the tool the names got changed.

Re: column name updated how to keep both query results ini same dashboard

jawaharas — Wed, 31 Jul 2019 08:50:14 GMT

Try the suggested query. It should return data from both the fields (before and after the date you mentioned)

Re: column name updated how to keep both query results ini same dashboard

jawaharas — Mon, 05 Aug 2019 06:30:30 GMT

@surekhasplunk
Can you accept the answer if it's helped you? Thanks.