Dashboards & Visualizations

How to make filldown permanent?

splunklearner12
Path Finder

I have logs where most events contain a Logon ID, but only one event with any logon_id contains a hostname. This means, two events may have the same logon_id, but only one of them will have a hostname. I want all of those events to contain a hostname though. I can do this by using filldown in a search like this: "base_search logon_id=*| filldown hostname", but how do I permanently insert a hostname field into the events that only come with a logon_id? I looked at calculated fields, but they need eval, and transform fields need a regex. Any ideas?

Tags (1)
0 Karma
1 Solution

FrankVl
Ultra Champion

Don't think you can do that in props&transforms as that always processes events 1 by 1. So if the information you need is not present in the event itself, but copied from another event, you will need to do that in the search bar. Note: filldown would only work if your events are in the right order (the event with hostname first, then the events with same logon_id without hostname) then a new logon_id with hostname etc.

| eventstats values(hostname) as hostname by logon_id might be a safer option to ensure you assign all events with the same logon_id the same hostname.

View solution in original post

0 Karma

FrankVl
Ultra Champion

Don't think you can do that in props&transforms as that always processes events 1 by 1. So if the information you need is not present in the event itself, but copied from another event, you will need to do that in the search bar. Note: filldown would only work if your events are in the right order (the event with hostname first, then the events with same logon_id without hostname) then a new logon_id with hostname etc.

| eventstats values(hostname) as hostname by logon_id might be a safer option to ensure you assign all events with the same logon_id the same hostname.

0 Karma

splunklearner12
Path Finder

Shame it doesn't work like that, but thanks for the safer option using eventstats.

0 Karma

FrankVl
Ultra Champion

Just to check, the value you want to go into the hostname field is not already present in some other field of the events that have no hostname value (e.g. in host or dest field or something)?

And you might want to confirm that logon_id is unique per host, otherwise my eventstats option would also cause some issues (you'd actually get multivalued hostname fields then).

0 Karma

splunklearner12
Path Finder

No, the hostname does not exist in another field.
For your second question, yes and no. I have found that a logon_id may sometimes contain 2 hostnames, which is the same hostname in upper and lower case. When I use "| eventstats values(client_ip) as client_ip by logon_id" instead, I only get one IP per logon_id. Similar to hostnames, the client_ip only appears once for each logon_id. I checked how many client_ip's occur for each logon_id using this search which returned "1" for everything:
"base_search logon_id=* | stats dc(client_ip) by logon_id | sort - dc(client_ip)"

0 Karma

splunklearner12
Path Finder

I do have to note that eventstats is notably slower. If I append a search and use eventstats in both, nothing comes up at all even waiting a long time. I have decided to use filldown because it seems to be good enough for my purpose.

0 Karma

FrankVl
Ultra Champion

I can imagine filldown would indeed be faster, problem is that if the events arrive out of order (the events of 2 or more different logon_id values getting mixed up) you will be assigning incorrect hostname values.

splunklearner12
Path Finder

I definitely agree with those flaws after looking closely at the results. I think I can avoid appending search so can also avoid filldown as well.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...