Re: Help on field renaming wich dont works

jip31 · ‎03-11-2020

hi
I use the serch below wich match the data present in 2 indexes following by host
In LastLogonBoot, the field "host" is well called "host"
But in wire, the field "host" is in reality calles "USERNAME"
So i need to rename USERNAME by host in order to match the 2 indexes but it doenst works
I have tried this :
| rename USERNAME as host
| eval host=if(index=wire, USERNAME,host)
what is the problem please??

[| inputlookup host.csv 
    | table host 
        ] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now 
| fields host SystemTime EventCode USERNAME NAME 
| lookup tutu.csv NAME as AP_NAME OUTPUT Building 
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
| stats latest(SystemTime) as SystemTime by host EventCode 
| xyseries host EventCode SystemTime 
| rename "6005" as LastLogon "6006" as LastReboot 
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
| lookup toto.csv HOSTNAME as host output SITE 
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host 
| sort -"Days without reboot"

manjunathmeti · ‎03-12-2020

Hi @jip31,

You need to rename field in macro: wire definition. Add below query in macro `wire` search query.

| eval host = USERNAME

jip31 · ‎03-13-2020

Hi
it doesnt works

manjunathmeti · ‎03-13-2020

Can you provide macro `wire` query?

jip31 · ‎03-13-2020

index="wineventlogfr" sourcetype=WinEventLog (EventCode=6005 OR EventCode=6006)

manjunathmeti · ‎03-13-2020

If you have values for USERNAME field in `wire` then how come eval is not working?

| eval host = USERNAME

jip31 · ‎03-16-2020

i would like to understand....

gaurav_maniar · ‎03-12-2020

Hi,

please try the below updated query,

[| inputlookup host.csv 
     | table host 
         ] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now 
 | eval host = if(index="wire", USERNAME, host)
 | fields host SystemTime EventCode NAME 
 | lookup tutu.csv NAME as AP_NAME OUTPUT Building 
 | eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
 | stats latest(SystemTime) as SystemTime by host EventCode 
 | xyseries host EventCode SystemTime 
 | rename "6005" as LastLogon "6006" as LastReboot 
 | eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
 | eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
 | lookup toto.csv HOSTNAME as host output SITE 
 | stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host 
 | sort -"Days without reboot"

accept and up-vote the answer if it helps.

jip31 · ‎03-13-2020

Hi
no results...

jip31 · ‎03-17-2020

Is anybody can help?

renjith_nair · ‎03-12-2020

@jip31, in the above the search, on which line you are trying rename/condition?
If you do not have a host value in the events from wire, probably try host=coalesce(host,USERNAME) after line 4

---
What goes around comes around. If it helps, hit it with Karma 🙂

jip31 · ‎03-13-2020

hi
I try after line 3
I tried your proposal but it doesnt works

Help on field renaming wich dont works

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application