Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I use the latest value given to replace a field that is NULL but both event have one common value?

Kitteh
Path Finder
‎10-10-2017 02:19 AM

As stated I want the latest value in "Hash Value" and "Type" column to be filled instead of being "NA" and "Unknown" which I hardcoded if NULL. I want the latest value to be carried over instead of being null if the "Location" column have the common value.

Referring to the screenshot, I want the file "what is this", its hash value and type from the latest which is below it to be carried up.

alt text

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-10-2017 04:46 AM

try adding this to the end of your search:

|eventstats latest('Hash Value') as latesthash latest(Type) as latesttype by location|eval "Hash Value"=if('Hash Value'="NA",latesthash,'Hash Value')|eval Type=if(Type="NA",latesttype,Type)

if Hash Value doesn't work, try latest(Hash Value) as latesthash otherwise try renaming it without the space. Sometimes Splunk is touchy with spaces in field names.

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎10-10-2017 10:22 AM

@Kitteh, what if the latest value of Hash Value or Type is NA or Unknown since it is NULL? Can you provide your current search?

You can use the map command to get the last() values for Hash Value and Type for your base search and then pass on the same to your actual search to perform fillnull with these selected values. However, without a peep at your existing search it will be tough to provide actual search:

<YourBaseSearch>
| stats last('Hash Value') as HashValue last(Type) as Type
| map search= "<YourBaseSearch>
           | table \"Hash Value\" Type
           | fillnull value=\"$HashValue$\" \"Hash Value\" 
           | fillnull value=\"$Type$\" Type "

Or something like following run anywhere example:

| makeresults
| eval 'Hash Value'="FFABCD1234",Type="File"
| stats last('Hash Value') as HashValue last(Type) as Type
| map search="| makeresults
| eval Hash Value=if(isnull('Hash Value'),\"$HashValue$\",'Hash Value')
| eval Type=if(isnull(Type),\"$Type$\",Type)"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Kitteh
Path Finder
‎10-10-2017 06:39 PM

Pardon me, heres my query.

sourcetype="file_system_change"
| where action="update" OR action="delete" OR action="add"
| rex field=_raw "^(?P.*)action="
| eval Timing=if(action="delete", Timestamp, modtime)
| replace delete WITH "Deletion" IN action
| replace add WITH "New File/Directory" IN action
| replace update WITH "Modification Detected" IN action
| eval Type = coalesce (case(isdir=1, "Directory", isdir=0, "File"), "Unknown")
| eval Hash=if(isnull(hash), "NA", hash)
| table Timing, path, Hash, host, action, Type
| rename Timing AS "Time of Modification" path AS "Location" Hash as "Hash Value" host AS "Machine" action AS "Action"

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎10-11-2017 11:30 AM

First off you should move the where query conditions to your base query for faster results as per Splunk query optimization guidelines.

sourcetype="file_system_change" 
| where action="update" OR action="delete" OR action="add"
| <YourRemainingSearch>

Should be re-written as 

sourcetype="file_system_change" action="update" OR action="delete" OR action="add"
| <YourRemainingSearch>

Please let me know if you would be interested in exploring map command as a solution for your use case since you already have another option working for you.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Kitteh
Path Finder
‎11-21-2017 12:33 AM

Yes I am still interested in exploring map command, do you mind replacing what my command is to what you are trying to type down? The amount of slash and money sign is confusing me

0 Karma
Reply
Solved! Jump to solution
Solution

cmerriman
Super Champion
‎10-10-2017 04:46 AM

try adding this to the end of your search:

|eventstats latest('Hash Value') as latesthash latest(Type) as latesttype by location|eval "Hash Value"=if('Hash Value'="NA",latesthash,'Hash Value')|eval Type=if(Type="NA",latesttype,Type)

if Hash Value doesn't work, try latest(Hash Value) as latesthash otherwise try renaming it without the space. Sometimes Splunk is touchy with spaces in field names.

Reply
Solved! Jump to solution

Kitteh
Path Finder
‎10-11-2017 02:05 AM

I've changed eventstats to streamstats, fixed the issue. Thanks anyway ur query helped

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎10-11-2017 04:35 AM

oh good, i'm glad that simple fix [eventstats to streamstats] did the trick!

0 Karma
Reply
Solved! Jump to solution

Kitteh
Path Finder
‎10-10-2017 06:56 PM

Doesnt seem to be working well but at least it filled up the unknown and NA ones

https://imgur.com/a/8PPqi

Hope the link i pasted can be seen

0 Karma
Reply
Solved! Jump to solution

Kitteh
Path Finder
‎10-10-2017 06:56 PM

What is wrong now is, it uses the hash from the wrong file as its own. Also the directory. it doesnt tally the past file records

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...