Splunk Search

How to filter out events to make a search out of it?

AL3Z
Builder

Hi,
I want to create a search out of the below event, to raise an alert if the particular system having the label lostinterface or label is  not there  and in profiles we have 2 values i.e  tndsubnet1 and  tndsubnet2, how we can make the search to seperate out the systems in tndsubnets 1 and tndsubnets 2 accordingly to make a search


Thanks..

Labels (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

@AL3Z,

Could you please share sample events?

 

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @AL3Z ,

@yuanliu's solution should work but I think your field name is "labels" not "Labels". Field names are case sensitive. Please try below;

| fillnull labels value=manage

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

AL3Z
Builder

@scelikok , @yuanliu   Hi, 

I have been receiving alerts with an empty hostname string. In all the events, the hostname is missing. To resolve this, I plan to create a field named "asset_found." If a hostname is found, it will be added to this field. In the absence of a hostname, the mac address will be added, and if that too is unavailable, an empty string will be added.
could you help with the search.

thanks..

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @AL3Z,

You can use below eval to create asset_found field.

| eval asset_found=coalesce(hostname, mac_address,"")
If this reply helps you an upvote and "Accept as Solution" is appreciated.

AL3Z
Builder

@scelikok ,

 

this is not working  ????

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You have to understand that "Is not working" conveys little information even in the best of cases.  The phrase is useless when other parties in the discussion have no insight about your data.  Can you illustrate data?  Explain data characteristics?  What is the code you attempted?  What is the result?  You are making volunteers shooting in the dark.

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @AL3Z,

You can try below;

| stats latest(Labels) as Labels by profile
| where isnull(Labels) or Lables="lostinterface"
If this reply helps you an upvote and "Accept as Solution" is appreciated.

AL3Z
Builder

Hi @@

How we can fill the empty values of a "labels" field with a  string "manage"

Thanks

 

 

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

You can use fillnull to replace null values, or you can use if() function to define a value when original value isnull.  Using @scelikok's solution:

| stats latest(Labels) as Labels by profile
| where isnull(Labels) or Labels="lostinterface"
| fillnull Labels value=manage

or

| stats latest(Labels) as Labels by profile
| where isnull(Labels) or Labels="lostinterface"
| eval Labels = if(isnull(Labels), "manage", Labels)

 

Tags (1)
0 Karma

AL3Z
Builder

@yuanliu ,
its not working .

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...