hi
I use the serch below wich match the data present in 2 indexes following by host
In LastLogonBoot
, the field "host" is well called "host"
But in wire
, the field "host" is in reality calles "USERNAME"
So i need to rename USERNAME by host in order to match the 2 indexes but it doenst works
I have tried this :
| rename USERNAME as host
| eval host=if(index=wire
, USERNAME,host)
what is the problem please??
[| inputlookup host.csv
| table host
] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now
| fields host SystemTime EventCode USERNAME NAME
| lookup tutu.csv NAME as AP_NAME OUTPUT Building
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'")
| stats latest(SystemTime) as SystemTime by host EventCode
| xyseries host EventCode SystemTime
| rename "6005" as LastLogon "6006" as LastReboot
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0)
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M")
| lookup toto.csv HOSTNAME as host output SITE
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host
| sort -"Days without reboot"
Hi @jip31,
You need to rename field in macro: wire
definition. Add below query in macro `wire` search query.
| eval host = USERNAME
Hi
it doesnt works
Can you provide macro `wire` query?
index="wineventlogfr" sourcetype=WinEventLog (EventCode=6005 OR EventCode=6006)
If you have values for USERNAME field in `wire` then how come eval is not working?
| eval host = USERNAME
i would like to understand....
Hi,
please try the below updated query,
[| inputlookup host.csv
| table host
] (`LastLogonBoot`) OR (`wire`) earliest=-24h latest=now
| eval host = if(index="wire", USERNAME, host)
| fields host SystemTime EventCode NAME
| lookup tutu.csv NAME as AP_NAME OUTPUT Building
| eval SystemTime=strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'")
| stats latest(SystemTime) as SystemTime by host EventCode
| xyseries host EventCode SystemTime
| rename "6005" as LastLogon "6006" as LastReboot
| eval NbDaysReboot=round((now() - LastReboot )/(3600*24), 0)
| eval LastReboot=strftime(LastReboot, "%y-%m-%d %H:%M")
| lookup toto.csv HOSTNAME as host output SITE
| stats last(LastReboot) as "Last reboot date", last(NbDaysReboot) as "Days without reboot", last(AP_NAME) as AP, last(SITE) as Site by host
| sort -"Days without reboot"
accept and up-vote the answer if it helps.
Hi
no results...
Is anybody can help?
@jip31, in the above the search, on which line you are trying rename/condition?
If you do not have a host value in the events from wire
, probably try host=coalesce(host,USERNAME)
after line 4
hi
I try after line 3
I tried your proposal but it doesnt works