Splunk ITSI

Multiple events into 1 event

dlm
Explorer

I am trying to generate one event from of list of similar events. I want to remove the _check and add these to one field separated by comas. I am generating a critical event that lists all the host that are not showing.

example:

HOST                                           SEVERITY

Bob_1009_check                   Critical

Jack_1002_check                  Critical

John_1001_check                  Critical

 

So when I am done I want it to be:

HOST   (or some other field name)                   SEVERITY                   DESCRIPTION

Bob_1009, Jack_1002, John_1001              Critical                       (Bob_1009, Jack_1002, John_1001) are no longer up, please review your logs.

I have trimmed the host accurately but I cannot figure out how to get a table of host to show in a side by side list to add into a description field I want to generate in an alert.  I DO NOT WANT a table. I want them side by side comma separated or semicolon separated.  

 

Labels (1)
0 Karma
1 Solution

dlm
Explorer

With the information from both and research, I found the answer that I was looking for:

| stats values(host) as host
| eval host="(".mvjoin(host,",").")"
| nomv host
|eval description=host."  host have failed"

 

the results gave me what I was looking for: (host1,host2,host3....) host have failed

the stats command made the host a multivalue field, the mvjoin allowed the commas between, and the nomv took away the multivalue and made it a normal field.

Thanks for ideas. Appreciate the time from your busy schedules.

View solution in original post

0 Karma

dlm
Explorer

it's not working as I expect it. I had already knew how to do the description. To simplify, I creating a script for whether it is up or down. If there are no failed alerts, then it is up. I am creating an event for up or down. If their down, I need to add the list of down host to the description. I can't use my stuff but this was enough to give a better understanding.

index=myindex message=" failed*"
| table host
| dedup host
| append
     [| makeresults annotate=true
       | eval host="Dummy"
       | table host]
|eventstats count
| eval status = if(count<2,"UP","DOWN")
| eval severity = if(status="DOWN","Critical","Normal")
| eval multiplehost=mvjoin(host, ", ")
| eval msg=if(severity="Critical","Host Have Failed", "Host are Successful")
| eval description=if(severity="Critical",multiplehost,"").msg



I have tried different commands to join it and placed it in various places. I can't seem to get it to add them together into (host1,host2,host3) in a description. 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. Right from the start there are some things that can be improved 🙂

| table host
| dedup host

While in this particular case it might not make such difference it's worth remembering that the table command moves processing to the search-head layer so it's best avoided untill you really need to transform your data into table for presentation.

I'd do

| stats values(host) as host
| mvexpand host

instead.

The annotate=t part is also not needed very much as you only want to set one field.

I'm not sure what you're trying to do with this line:

| eval multiplehost=mvjoin(host, ", ")

I suppose you want it to work differently than it does. You can't "reach" to other result lines with the eval command. So you either need to combine your results into a multivalued field or maybe transpose your results and do a foreach. But this one will not work.

Also, unless you have one of each host (not just one "dummy") in the appended part you won't detect the failed ones.

0 Karma

dlm
Explorer

With the information from both and research, I found the answer that I was looking for:

| stats values(host) as host
| eval host="(".mvjoin(host,",").")"
| nomv host
|eval description=host."  host have failed"

 

the results gave me what I was looking for: (host1,host2,host3....) host have failed

the stats command made the host a multivalue field, the mvjoin allowed the commas between, and the nomv took away the multivalue and made it a normal field.

Thanks for ideas. Appreciate the time from your busy schedules.

0 Karma

dlm
Explorer

the mvjoin line was only one way I tried to add all the host together to get it to look like (host1,host2,host3) are not coming in on the description. I am having difficult getting it to be side by side any of the results separated by a comma. that is why I am on here. I have looked thru so much documentation and cannot get my results for the hosts to go into one event that looks like (host1, host2, host3). 

You stated to use a foreach command. I am not quite sure how that would look to get it to put the host in one event side by side.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you want multiple values in a single field you could do this

| stats values(HOST) as HOST by SEVERITY
| eval HOST=mvjoin(HOST, ",")
0 Karma

PickleRick
SplunkTrust
SplunkTrust

I don't know what it has to do with ITSI but in general, if you want to present something in a table, you use a table. If you want to manually render some strings, you just use eval to concatenate multiple strings together, add something to them and so on.

Depending on your use case, you could use the table but use some clever styling with CSS to render the table the way you want.

So either use something like

| eval host_with_description = host . description

or be more precise about what you want to achieve.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...