topic Re: How to filter out events to make a search out of it? in Splunk Search

How to filter out events to make a search out of it?

AL3Z — Sun, 05 Feb 2023 12:01:50 GMT

Hi,
I want to create a search out of the below event, to raise an alert if the particular system having the label lostinterface or label is not there and in profiles we have 2 values i.e tndsubnet1 and tndsubnet2, how we can make the search to seperate out the systems in tndsubnets 1 and tndsubnets 2 accordingly to make a search

Thanks..

Re: Need to filter out events to make a search out of it

scelikok — Fri, 03 Feb 2023 15:16:29 GMT

Hi @AL3Z,

You can try below;

| stats latest(Labels) as Labels by profile | where isnull(Labels) or Lables="lostinterface"

Re: Need to filter out events to make a search out of it

AL3Z — Sun, 12 Feb 2023 12:03:10 GMT

Hi @@

How we can fill the empty values of a "labels" field with a string "manage"

Thanks

Re: Need to filter out events to make a search out of it

yuanliu — Fri, 10 Feb 2023 11:22:00 GMT

You can use fillnull to replace null values, or you can use if() function to define a value when original value isnull. Using @scelikok's solution:

| stats latest(Labels) as Labels by profile | where isnull(Labels) or Labels="lostinterface" | fillnull Labels value=manage

| stats latest(Labels) as Labels by profile | where isnull(Labels) or Labels="lostinterface" | eval Labels = if(isnull(Labels), "manage", Labels)

Re: Need to filter out events to make a search out of it

AL3Z — Fri, 10 Feb 2023 13:11:33 GMT

@yuanliu ,
its not working .

Re: How to filter out events to make a search out of it?

scelikok — Sat, 11 Feb 2023 09:11:30 GMT

Hi @AL3Z ,

@yuanliu's solution should work but I think your field name is "labels" not "Labels". Field names are case sensitive. Please try below;

| fillnull labels value=manage

Re: How to filter out events to make a search out of it?

AL3Z — Mon, 13 Feb 2023 07:13:35 GMT

@scelikok , @yuanliu Hi,

I have been receiving alerts with an empty hostname string. In all the events, the hostname is missing. To resolve this, I plan to create a field named "asset_found." If a hostname is found, it will be added to this field. In the absence of a hostname, the mac address will be added, and if that too is unavailable, an empty string will be added.
could you help with the search.

thanks..

Re: How to filter out events to make a search out of it?

scelikok — Mon, 13 Feb 2023 07:29:36 GMT

Hi @AL3Z,

You can use below eval to create asset_found field.

| eval asset_found=coalesce(hostname, mac_address,"")

Re: How to filter out events to make a search out of it?

AL3Z — Mon, 13 Feb 2023 09:00:03 GMT

@scelikok ,

this is not working ????

Re: How to filter out events to make a search out of it?

scelikok — Mon, 13 Feb 2023 10:08:38 GMT

@AL3Z,

Could you please share sample events?

Re: How to filter out events to make a search out of it?

yuanliu — Wed, 15 Feb 2023 05:27:20 GMT

You have to understand that "Is not working" conveys little information even in the best of cases. The phrase is useless when other parties in the discussion have no insight about your data. Can you illustrate data? Explain data characteristics? What is the code you attempted? What is the result? You are making volunteers shooting in the dark.