Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Add entry data to an alert

mwcentracomm
Explorer
‎02-15-2024 05:26 AM

I am using the search below

| metadata type=hosts | where recentTime < now() - 10800| eval lastSeen = strftime(recentTime, "%F %T") | fields + host lastSeen

 

I would like to add a field populated by somename that ends in "srx"

 

Jan 4 13:07:57 1.1.1.1 1 2024-01-04T13:07:57.085-05:00 5995-somename-srx rpd 2188 JTASK_SIGNAL_INFO [junos@2636.1.1.1.2.133 message-name="INFO Signal Info: Signal Number = " signal-number="1" name=" Consumed Count = " data-1="3"]

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 05:34 AM

Use the eval command to add a field to your results.

| metadata type=hosts 
| where recentTime < now() - 10800| eval lastSeen = strftime(recentTime, "%F %T") 
| fields + host lastSeen
| eval newField="srx"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mwcentracomm
Explorer
‎02-15-2024 10:14 AM

Sorry, I did not completely explain, - I would like it to return the full name ending in srx.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-15-2024 10:23 AM

Only the fields provided by the metadata command can be displayed unless you add other commands that search indexes for names ending with "srx".  If the desired field *is* returned by metadata then include it in the fields command then use where or search to filter the desired values.

| metadata type=hosts 
| where recentTime < now() - 10800| eval lastSeen = strftime(recentTime, "%F %T") 
| fields + host lastSeen
| search host="*srx"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Splunk Observability Metrics Cost Optimization

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...