Solved: How to rename multiple field names and bind them b...

CryoHydra · ‎07-12-2018

Team,

We have 3 different sourcetype on which endpoint/device are identified by different fieldname:

sourcetype=x endpoint identified by the field $host$ , sourcetype=y identified by $fqdn$ and sourcetype=z identified by $dns$

I want to bind all the devices to sourcetype , by renaming all the device field renamed to common field name $endpoint$. How to go over this?

host1 hos2 | stats count by sourcetype endpoint

renjith_nair · ‎07-13-2018

Try,

"your base search"|eval endpoint=case(sourcetype=="x",host,sourcetype=="y",fqdn,sourcetype=="z",dns)|stats count by sourcetype,endpoint

Happy Splunking!

View solution in original post

renjith_nair · ‎07-13-2018

Try,

"your base search"|eval endpoint=case(sourcetype=="x",host,sourcetype=="y",fqdn,sourcetype=="z",dns)|stats count by sourcetype,endpoint

Happy Splunking!

CryoHydra · ‎07-13-2018

Thanks !

host* - is the search string i used which mapped to host field host=host1 , host=host2 host=3

but host like client1 client2 which are present in log message for the host are also populating in the search with host=client1 host=client2 host=client3

How can i exclude host=client* ? using eval

renjith_nair · ‎07-15-2018

(host=host* AND host!=client* )

Happy Splunking!

CryoHydra · ‎07-16-2018

Thanks Renjith . But i used the below query which is time consuming.

"your base search"|eval endpoint=case(sourcetype=="x",host,sourcetype=="y",fqdn,sourcetype=="z",dns)|search endpoint=host* | stats count by sourcetype,endpoint

I have used the new field name to filter out events.

How to rename multiple field names and bind them by one common field?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor