Add entry data to an alert

mwcentracomm · ‎02-15-2024

I am using the search below

| metadata type=hosts | where recentTime < now() - 10800| eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

I would like to add a field populated by somename that ends in "srx"

Jan 4 13:07:57 1.1.1.1 1 2024-01-04T13:07:57.085-05:00 5995-somename-srx rpd 2188 JTASK_SIGNAL_INFO [junos@2636.1.1.1.2.133 message-name="INFO Signal Info: Signal Number = " signal-number="1" name=" Consumed Count = " data-1="3"]

richgalloway · ‎02-15-2024

Use the eval command to add a field to your results.

| metadata type=hosts 
| where recentTime < now() - 10800| eval lastSeen = strftime(recentTime, "%F %T") 
| fields + host lastSeen
| eval newField="srx"

---
If this reply helps you, Karma would be appreciated.

mwcentracomm · ‎02-15-2024

Sorry, I did not completely explain, - I would like it to return the full name ending in srx.

richgalloway · ‎02-15-2024

Only the fields provided by the metadata command can be displayed unless you add other commands that search indexes for names ending with "srx". If the desired field *is* returned by metadata then include it in the fields command then use where or search to filter the desired values.

| metadata type=hosts 
| where recentTime < now() - 10800| eval lastSeen = strftime(recentTime, "%F %T") 
| fields + host lastSeen
| search host="*srx"

---
If this reply helps you, Karma would be appreciated.

Add entry data to an alert

regex

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

Join Us at the Builder Bar at .conf24 – Empowering Innovation and Collaboration

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users