Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to rename multiple field names and bind them b...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CryoHydra
Path Finder
07-12-2018
03:41 AM
Team,
We have 3 different sourcetype on which endpoint/device are identified by different fieldname:
sourcetype=x endpoint identified by the field $host$ , sourcetype=y identified by $fqdn$ and sourcetype=z identified by $dns$
I want to bind all the devices to sourcetype , by renaming all the device field renamed to common field name $endpoint$. How to go over this?
host1 hos2 | stats count by sourcetype endpoint
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-13-2018
07:25 AM
Try,
"your base search"|eval endpoint=case(sourcetype=="x",host,sourcetype=="y",fqdn,sourcetype=="z",dns)|stats count by sourcetype,endpoint
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-13-2018
07:25 AM
Try,
"your base search"|eval endpoint=case(sourcetype=="x",host,sourcetype=="y",fqdn,sourcetype=="z",dns)|stats count by sourcetype,endpoint
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CryoHydra
Path Finder
07-13-2018
07:55 AM
Thanks !
host* - is the search string i used which mapped to host field host=host1 , host=host2 host=3
but host like client1 client2 which are present in log message for the host are also populating in the search with host=client1 host=client2 host=client3
How can i exclude host=client* ? using eval
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
07-15-2018
07:12 PM
(host=host* AND host!=client* )
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CryoHydra
Path Finder
07-16-2018
07:03 PM
Thanks Renjith . But i used the below query which is time consuming.
"your base search"|eval endpoint=case(sourcetype=="x",host,sourcetype=="y",fqdn,sourcetype=="z",dns)|search endpoint=host* | stats count by sourcetype,endpoint
I have used the new field name to filter out events.
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
