Splunk Search

Device names (normally static data) have changed

jdaivs
Explorer

We recently implemented a new naming convention for devices logging to Splunk a managing device. The only way of determining that an event came from a specific device is from the device name field in the event. I want to do a daily average of the event counts from each device but the numbers are off because the values in the device name field have changed.

There isn't another piece of data available in the logs that are fed into Splunk that I can use instead so my question is whether there is a way to combine the old and new device names so that the stats are more accurate?

Any suggestions would be greatly appreciated.

Tags (2)
0 Karma

jdaivs
Explorer

Using a combination of both recommendations I managed to solve my problem. First, I tagged the old device names that were showing up with the new device names. Then I used eval coalesce() recommended when I asked a similar question.

 <my search criteria> | eval DEVICE_NAME=coalesce(tag,DEVICE_NAME) | stats count BY DEVICE_NAME, date_month, date_mday | stats avg(count) AS "Average_Alert_Count" BY DEVICE_NAME | eval Average_Alert_Count=round(Average_Alert_Count,2) 

The next thing I want to do is show the event count for the last 24 hours compared to the average. I am reviewing some of the other documentation/answers on the site for pointers, but step one is done! Thanks for the help.

0 Karma

jdaivs
Explorer

I appreciate this but although the new naming convention has a pattern, the old one does not.

0 Karma

somesoni2
Revered Legend

If you device name has changed with a specific pattern, you can update the old values in device name field with new values (using rex/eval).

0 Karma

jimodonald
Contributor

A couple of ideas spring to mind.

1) you can create a lookup table with the old and new names and make it an automatic lookup. See the Lookups and Workflow actions in the Knowledge Manager Manual.

2) you can create field aliases to do something similar. See Tags and Aliases in the Knowledge Manager Manual

Personally, I would probably go with the lookup table. I suspect you've got something mapping the old name and new name already. It wouldn't take much to export that as a CSV and create the automatic lookup.

0 Karma

jdaivs
Explorer

Unfortunately I cannot view the video from work. If this is the case, though I would have to assume that there is something on the back-end that isn't set up correctly for this to work since this did not happen natively.

0 Karma

jimodonald
Contributor

Since you've tagged the old hostnames with the new, there should not be anything left to do. Just run your searches with the new hostname. If your search crosses over into the time range with the old hostname, the tags should override the old hostname with the tag you set.

As for how do do the lookup table, Splunk has a great video explaining it. See http://www.splunk.com/view/SP-CAAAE3F

0 Karma

jdaivs
Explorer

Here is the search I am using to get the daily average

sourcetype=ids_alerts
| stats count BY DEVICE_NAME, date_month, date_mday
| stats avg(count) AS "Daily Average" BY DEVICE_NAME

I do have a old-to-new name table but there are only a handful of the older device names showing and eventually are going to age off. So I don't know that a lookup table will be ideal (but would be good to know how). I have tagged the older names with the newer name but I am unclear on how to merge the tag in place of the old device name.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...