Solved: How to make filldown permanent?

splunklearner12 · ‎07-02-2019

I have logs where most events contain a Logon ID, but only one event with any logon_id contains a hostname. This means, two events may have the same logon_id, but only one of them will have a hostname. I want all of those events to contain a hostname though. I can do this by using filldown in a search like this: "base_search logon_id=*| filldown hostname", but how do I permanently insert a hostname field into the events that only come with a logon_id? I looked at calculated fields, but they need eval, and transform fields need a regex. Any ideas?

FrankVl · ‎07-02-2019

Don't think you can do that in props&transforms as that always processes events 1 by 1. So if the information you need is not present in the event itself, but copied from another event, you will need to do that in the search bar. Note: filldown would only work if your events are in the right order (the event with hostname first, then the events with same logon_id without hostname) then a new logon_id with hostname etc.

| eventstats values(hostname) as hostname by logon_id might be a safer option to ensure you assign all events with the same logon_id the same hostname.

View solution in original post

FrankVl · ‎07-02-2019

Don't think you can do that in props&transforms as that always processes events 1 by 1. So if the information you need is not present in the event itself, but copied from another event, you will need to do that in the search bar. Note: filldown would only work if your events are in the right order (the event with hostname first, then the events with same logon_id without hostname) then a new logon_id with hostname etc.

| eventstats values(hostname) as hostname by logon_id might be a safer option to ensure you assign all events with the same logon_id the same hostname.

splunklearner12 · ‎07-02-2019

Shame it doesn't work like that, but thanks for the safer option using eventstats.

FrankVl · ‎07-02-2019

Just to check, the value you want to go into the hostname field is not already present in some other field of the events that have no hostname value (e.g. in host or dest field or something)?

And you might want to confirm that logon_id is unique per host, otherwise my eventstats option would also cause some issues (you'd actually get multivalued hostname fields then).

splunklearner12 · ‎07-02-2019

No, the hostname does not exist in another field.
For your second question, yes and no. I have found that a logon_id may sometimes contain 2 hostnames, which is the same hostname in upper and lower case. When I use "| eventstats values(client_ip) as client_ip by logon_id" instead, I only get one IP per logon_id. Similar to hostnames, the client_ip only appears once for each logon_id. I checked how many client_ip's occur for each logon_id using this search which returned "1" for everything:
"base_search logon_id=* | stats dc(client_ip) by logon_id | sort - dc(client_ip)"

splunklearner12 · ‎07-03-2019

I do have to note that eventstats is notably slower. If I append a search and use eventstats in both, nothing comes up at all even waiting a long time. I have decided to use filldown because it seems to be good enough for my purpose.

FrankVl · ‎07-03-2019

I can imagine filldown would indeed be faster, problem is that if the events arrive out of order (the events of 2 or more different logon_id values getting mixed up) you will be assigning incorrect hostname values.

splunklearner12 · ‎07-03-2019

I definitely agree with those flaws after looking closely at the results. I think I can avoid appending search so can also avoid filldown as well.

How to make filldown permanent?

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...