topic Re: Device names (normally static data) have changed in Splunk Search

Device names (normally static data) have changed

jdaivs — Tue, 06 May 2014 14:29:39 GMT

We recently implemented a new naming convention for devices logging to Splunk a managing device. The only way of determining that an event came from a specific device is from the device name field in the event. I want to do a daily average of the event counts from each device but the numbers are off because the values in the device name field have changed.

There isn't another piece of data available in the logs that are fed into Splunk that I can use instead so my question is whether there is a way to combine the old and new device names so that the stats are more accurate?

Any suggestions would be greatly appreciated.

Re: Device names (normally static data) have changed

jimodonald — Tue, 06 May 2014 14:48:18 GMT

A couple of ideas spring to mind.

1) you can create a lookup table with the old and new names and make it an automatic lookup. See the Lookups and Workflow actions in the Knowledge Manager Manual.

2) you can create field aliases to do something similar. See Tags and Aliases in the Knowledge Manager Manual

Personally, I would probably go with the lookup table. I suspect you've got something mapping the old name and new name already. It wouldn't take much to export that as a CSV and create the automatic lookup.

Re: Device names (normally static data) have changed

somesoni2 — Tue, 06 May 2014 16:13:45 GMT

If you device name has changed with a specific pattern, you can update the old values in device name field with new values (using rex/eval).

Re: Device names (normally static data) have changed

jdaivs — Mon, 28 Sep 2020 16:32:59 GMT

Here is the search I am using to get the daily average

sourcetype=ids_alerts
| stats count BY DEVICE_NAME, date_month, date_mday
| stats avg(count) AS "Daily Average" BY DEVICE_NAME

I do have a old-to-new name table but there are only a handful of the older device names showing and eventually are going to age off. So I don't know that a lookup table will be ideal (but would be good to know how). I have tagged the older names with the newer name but I am unclear on how to merge the tag in place of the old device name.

Re: Device names (normally static data) have changed

jdaivs — Tue, 06 May 2014 19:21:58 GMT

I appreciate this but although the new naming convention has a pattern, the old one does not.

Re: Device names (normally static data) have changed

jimodonald — Tue, 06 May 2014 20:04:39 GMT

Since you've tagged the old hostnames with the new, there should not be anything left to do. Just run your searches with the new hostname. If your search crosses over into the time range with the old hostname, the tags should override the old hostname with the tag you set.

As for how do do the lookup table, Splunk has a great video explaining it. See http://www.splunk.com/view/SP-CAAAE3F

Re: Device names (normally static data) have changed

jdaivs — Thu, 08 May 2014 17:44:18 GMT

Using a combination of both recommendations I managed to solve my problem. First, I tagged the old device names that were showing up with the new device names. Then I used eval coalesce() recommended when I asked a similar question.

 <my search criteria> | eval DEVICE_NAME=coalesce(tag,DEVICE_NAME) | stats count BY DEVICE_NAME, date_month, date_mday | stats avg(count) AS "Average_Alert_Count" BY DEVICE_NAME | eval Average_Alert_Count=round(Average_Alert_Count,2)

The next thing I want to do is show the event count for the last 24 hours compared to the average. I am reviewing some of the other documentation/answers on the site for pointers, but step one is done! Thanks for the help.

Re: Device names (normally static data) have changed

jdaivs — Thu, 08 May 2014 17:47:39 GMT

Unfortunately I cannot view the video from work. If this is the case, though I would have to assume that there is something on the back-end that isn't set up correctly for this to work since this did not happen natively.