I want to create a search out of the below event, to raise an alert if the particular system having the label lostinterface or label is not there and in profiles we have 2 values i.e tndsubnet1 and tndsubnet2, how we can make the search to seperate out the systems in tndsubnets 1 and tndsubnets 2 accordingly to make a search
I have been receiving alerts with an empty hostname string. In all the events, the hostname is missing. To resolve this, I plan to create a field named "asset_found." If a hostname is found, it will be added to this field. In the absence of a hostname, the mac address will be added, and if that too is unavailable, an empty string will be added.
could you help with the search.
You can use below eval to create asset_found field.
| eval asset_found=coalesce(hostname, mac_address,"")
You have to understand that "Is not working" conveys little information even in the best of cases. The phrase is useless when other parties in the discussion have no insight about your data. Can you illustrate data? Explain data characteristics? What is the code you attempted? What is the result? You are making volunteers shooting in the dark.
You can try below;
| stats latest(Labels) as Labels by profile | where isnull(Labels) or Lables="lostinterface"
How we can fill the empty values of a "labels" field with a string "manage"
You can use fillnull to replace null values, or you can use if() function to define a value when original value isnull. Using @scelikok's solution:
| stats latest(Labels) as Labels by profile | where isnull(Labels) or Labels="lostinterface" | fillnull Labels value=manage
| stats latest(Labels) as Labels by profile | where isnull(Labels) or Labels="lostinterface" | eval Labels = if(isnull(Labels), "manage", Labels)