Splunk Search

Help on field renaming wich dont works

jip31
Motivator

hi
I use the serch below wich match the data present in 2 indexes following by host
In LastLogonBoot, the field "host" is well called "host"
But in wire, the field "host" is in reality calles "USERNAME"
So i need to rename USERNAME by host in order to match the 2 indexes but it doenst works
I have tried this :
| rename USERNAME as host
| eval host=if(index=wire, USERNAME,host)
what is the problem please??

[| inputlookup host.csv 
    | table host 
        ] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now 
| fields host SystemTime EventCode USERNAME NAME 
| lookup tutu.csv NAME as AP_NAME OUTPUT Building 
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
| stats latest(SystemTime) as SystemTime by host EventCode 
| xyseries host EventCode SystemTime 
| rename "6005" as LastLogon "6006" as LastReboot 
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
| lookup toto.csv HOSTNAME as host output SITE 
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host 
| sort -"Days without reboot"
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Hi @jip31,

You need to rename field in macro: wire definition. Add below query in macro `wire` search query.

| eval host = USERNAME
0 Karma

jip31
Motivator

Hi
it doesnt works

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Can you provide macro `wire` query?

0 Karma

jip31
Motivator
index="wineventlogfr" sourcetype=WinEventLog (EventCode=6005 OR EventCode=6006)
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

If you have values for USERNAME field in `wire` then how come eval is not working?

| eval host = USERNAME
0 Karma

jip31
Motivator

i would like to understand....

0 Karma

gaurav_maniar
Builder

Hi,

please try the below updated query,

[| inputlookup host.csv 
     | table host 
         ] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now 
 | eval host = if(index="wire", USERNAME, host)
 | fields host SystemTime EventCode NAME 
 | lookup tutu.csv NAME as AP_NAME OUTPUT Building 
 | eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'") 
 | stats latest(SystemTime) as SystemTime by host EventCode 
 | xyseries host EventCode SystemTime 
 | rename "6005" as LastLogon "6006" as LastReboot 
 | eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0) 
 | eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M") 
 | lookup toto.csv HOSTNAME as host output SITE 
 | stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host 
 | sort -"Days without reboot"

accept and up-vote the answer if it helps.

0 Karma

jip31
Motivator

Hi
no results...

0 Karma

jip31
Motivator

Is anybody can help?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@jip31, in the above the search, on which line you are trying rename/condition?
If you do not have a host value in the events from wire, probably try host=coalesce(host,USERNAME) after line 4

Happy Splunking!
0 Karma

jip31
Motivator

hi
I try after line 3
I tried your proposal but it doesnt works

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...