I have logs where most events contain a Logon ID, but only one event with any logonid contains a hostname. This means, two events may have the same logonid, but only one of them will have a hostname. I want all of those events to contain a hostname though. I can do this by using filldown in a search like this: "
base_search logonid=*| filldown hostname", but how do I permanently insert a hostname field into the events that only come with a logonid? I looked at calculated fields, but they need eval, and transform fields need a regex. Any ideas?
Don't think you can do that in props&transforms as that always processes events 1 by 1. So if the information you need is not present in the event itself, but copied from another event, you will need to do that in the search bar. Note:
filldown would only work if your events are in the right order (the event with hostname first, then the events with same logonid without hostname) then a new logonid with hostname etc.
| eventstats values(hostname) as hostname by logon_id might be a safer option to ensure you assign all events with the same logon_id the same hostname.
Just to check, the value you want to go into the hostname field is not already present in some other field of the events that have no hostname value (e.g. in host or dest field or something)?
And you might want to confirm that logon_id is unique per host, otherwise my eventstats option would also cause some issues (you'd actually get multivalued hostname fields then).
No, the hostname does not exist in another field.
For your second question, yes and no. I have found that a logonid may sometimes contain 2 hostnames, which is the same hostname in upper and lower case. When I use "| eventstats values(clientip) as clientip by logonid" instead, I only get one IP per logonid. Similar to hostnames, the clientip only appears once for each logonid. I checked how many clientip's occur for each logonid using this search which returned "1" for everything:
"`basesearch` logonid=* | stats dc(clientip) by logonid | sort - dc(clientip)"
I do have to note that eventstats is notably slower. If I append a search and use eventstats in both, nothing comes up at all even waiting a long time. I have decided to use filldown because it seems to be good enough for my purpose.
I can imagine filldown would indeed be faster, problem is that if the events arrive out of order (the events of 2 or more different logon_id values getting mixed up) you will be assigning incorrect hostname values.
I definitely agree with those flaws after looking closely at the results. I think I can avoid appending search so can also avoid filldown as well.