Is it possible to combine 2 fields output those re...

ipops · ‎02-20-2018

I have syslog interface events flowing into splunk. Each event is unique with an UP or DOWN within the event data. I'd like to output those results to a table using the DBX addon and build a dashboard only showing interfaces currently in the DOWN state.

Problem is there is no unique key per device.

is it possible to combine 2 fields in the customized_mappings? If the Source_IP+Interface could be combined into a single text field that would work as a unique key. Then the upsert option could be used.

Is this possible? If so how would it be done?

Here are my current customized_mappings

customized_mappings = _time:_time:93,Source_IP:Source_IP:-1,Source_Description:Source_Description:-1,Interface:Interface:Status:Status

cmerriman · ‎03-01-2018

you should just be able to use eval to combine fields. |eval unique_key=Source_IP.Interface

Is it possible to combine 2 fields output those results to a table using the DBX addon and build a dashboard only showing interfaces currently in the DOWN state?

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Join the Conversation

Is it possible to combine 2 fields output those results to a table using the DBX addon and build a dashboard only showing interfaces currently in the DOWN state?

New Year, New Changes for Splunk Certifications

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events