Splunk Search

How do you get a description field with the output result fields?

vrmandadi
Builder

I have the below query

index=main AND sourcetype="abc" AND id=* AND ((state="terminated" AND image.attributes.name!="emr*") OR private_ip_address!=null) 
| eval time=strftime(_time,"%d/%m/%Y %H:%M:%S") 
| eval state = if(state=="terminated", state, null()) 
| eval node=aws_account_id 
| eval resource="Instance Termination" 
| eval type="Instance Terminated" 
| eval severity=1 
| stats values(private_ip_address) AS private_ip_address values(state) AS state BY id image.attributes.name 
| mvexpand private_ip_address 
| search state=terminated 
| search private_ip_address!=null

This gives the correct output with id image.attributes.name private_ip_address state. Now I want to have a description field that will change according to the results, but it's not populating because of the stats command running before this. How can we modify the search to result this output?

| eval description="The instance : ". image.attributes.name . " with id:" .id. " has status " .state . "with ip" .private_ip_address. " at ". time

Thanks

0 Karma

woodcock
Esteemed Legend

No, no, no. Do not use + for concatenation because its primary function is addition and if any of your variables ever has a number in it, you will generate a NaN error. switch back to using . but make sure that you have spaces on each side of each period.

0 Karma

vrmandadi
Builder

I got it using + between each field worked

index=main AND sourcetype="aws:description" AND id=* AND ((state="terminated" AND image.attributes.name!="emr*") OR private_ip_address!=null) 
 | eval time=strftime(_time,"%d/%m/%Y %H:%M:%S")
| eval state = if(state=="terminated", state, null()) 
|stats latest(state) as state  , values(private_ip_address) as private_ip_address , latest(time) as time  by id image.attributes.name aws_account_id |rename image.attributes.name as name | mvexpand private_ip_address 
| search state=terminated 
| search private_ip_address!=null
| eval node=aws_account_id 
| eval resource="Instance Termination" 
| eval type="Instance Terminated" 
| eval severity=1
| eval description="The instance:" + name + " with id:" + id + " has status: " + state + " with ip: " + private_ip_address + " at time: " + time
0 Karma

vnravikumar
Champion

Hi @vrmandadi

Try like

your query.. | stats values(private_ip_address) AS private_ip_address values(state) AS state BY id image.attributes.name 
| eval temp= mvzip(private_ip_address, state) 
| mvexpand temp
| rex field=temp "(?<private_ip_address>[^\,]+)\,(?<state>[^\,]+)"
| eval description="The instance : ". image.attributes.name . " with id:" .id. " has status " .state . "with ip" .private_ip_address. " at ". time
0 Karma

vrmandadi
Builder

I tried this but it did not work

0 Karma

lakshman239
SplunkTrust
SplunkTrust

did you try to add your |eval description before stats?. Also you would need to add 'description' in your stats by clause

0 Karma

vrmandadi
Builder

Yes I did but no luck

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...