topic Re: What is the best query for retrieving a field name in different languages? in Splunk Search

What is the best query for retrieving a field name in different languages?

jip31 — Tue, 18 Dec 2018 09:14:33 GMT

hello,

I use the WMI below

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Error"

and i have to retrieve a specific field.

The problem is that this field is sometimes in French, sometimes in English and sometimes in german
for example :

french : chemin de l'application défaillante
english : faulting application path
german : pfad der fehlerhaften anwendung

is there a solution for having the log in a same language?

If not, what is the best query for retrieving the field no matter the language is??

thanks

Re: What is the best query for retrieving a field name in different languages?

whrg — Tue, 29 Sep 2020 22:25:44 GMT

Hello @jip31,

I couldn't find any translation rules in the Splunk Add-on for Microsoft Windows. So I think you will have to do the translation yourself.

You could use the coalesce eval function to create one common field for all languages. Assuming your available field are named faulting_application_path, chemin_de_lapplication_defaillante and pfad_der_fehlerhaften_anwendung:

eval faulting_application_path=coalesce(faulting_application_path,chemin_de_lapplication_defaillante,pfad_der_fehlerhaften_anwendung)

Re: What is the best query for retrieving a field name in different languages?

macadminrohit — Tue, 18 Dec 2018 16:00:37 GMT

Is splunk not automatically identifying the field names for you ?

Re: What is the best query for retrieving a field name in different languages?

jip31 — Wed, 19 Dec 2018 09:56:03 GMT

hello
I done this but I think it counts only the "Chemin d’accès de l’application défaillante" events
is is true?

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Error" | dedup _time | eval faulting_application_path=coalesce("Faulting application path","Chemin d’accès de l’application défaillante","Pfad der fehlerhaften Anwendung") | stats count by "Chemin d’accès de l’application défaillante" | rename "Chemin d’accès de l’application défaillante" as Application, count as Errors | sort -Errors limit=10

I need to count all the item in coalesce so i need something like this

| eval test=coalesce("Faulting application path","Chemin d’accès de l’application défaillante","Pfad der fehlerhaften Anwendung") 
| stats count by test

Re: What is the best query for retrieving a field name in different languages?

whrg — Wed, 19 Dec 2018 10:02:50 GMT

It can be tricky to work with fields which contain spaces in the field name.
I think you need to use single quotation marks:

| eval faulting_application_path=coalesce('Faulting application path','Chemin d’accès de l’application défaillante','Pfad der fehlerhaften Anwendung')
| stats count as Errors by faulting_application_path

Re: What is the best query for retrieving a field name in different languages?

jip31 — Fri, 21 Dec 2018 06:26:15 GMT

thanks perfect
last question : i do the same thing for another sourcename but it doesnt works. could you help me please??

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Hang"
| dedup _time
| eval 'Application Path'=coalesce('Application Path','Chemin d’accès de l’application','Anwendungspfad')
| stats count as Errors by 'Application Path'
| rename 'Application Path' as Application
| sort -Errors limit=10

Re: What is the best query for retrieving a field name in different languages?

whrg — Fri, 21 Dec 2018 09:04:45 GMT

I think it needs to be
| eval "Application Path" = ...
and
| stats count as Errors by "Application Path"
and
| rename "Application Path" as Application

Spaces in field names can be really tricky. Better do
eval Application_Path = ...
to avoid spaces.

Re: What is the best query for retrieving a field name in different languages?

jip31 — Fri, 21 Dec 2018 12:08:01 GMT

perfect! thanks