Splunk Search

What is the best query for retrieving a field name in different languages?

jip31
Motivator

hello,

I use the WMI below

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Error"

and i have to retrieve a specific field.

The problem is that this field is sometimes in French, sometimes in English and sometimes in german
for example :

french : chemin de l'application défaillante
english : faulting application path
german : pfad der fehlerhaften anwendung

is there a solution for having the log in a same language?

If not, what is the best query for retrieving the field no matter the language is??

thanks

Tags (1)
0 Karma
1 Solution

whrg
Motivator

Hello @jip31,

I couldn't find any translation rules in the Splunk Add-on for Microsoft Windows. So I think you will have to do the translation yourself.

You could use the coalesce eval function to create one common field for all languages. Assuming your available field are named faulting_application_path, chemin_de_lapplication_defaillante and pfad_der_fehlerhaften_anwendung:

eval faulting_application_path=coalesce(faulting_application_path,chemin_de_lapplication_defaillante,pfad_der_fehlerhaften_anwendung)

View solution in original post

0 Karma

macadminrohit
Contributor

Is splunk not automatically identifying the field names for you ?

0 Karma

whrg
Motivator

Hello @jip31,

I couldn't find any translation rules in the Splunk Add-on for Microsoft Windows. So I think you will have to do the translation yourself.

You could use the coalesce eval function to create one common field for all languages. Assuming your available field are named faulting_application_path, chemin_de_lapplication_defaillante and pfad_der_fehlerhaften_anwendung:

eval faulting_application_path=coalesce(faulting_application_path,chemin_de_lapplication_defaillante,pfad_der_fehlerhaften_anwendung)
0 Karma

jip31
Motivator

hello
I done this but I think it counts only the "Chemin d’accès de l’application défaillante" events
is is true?

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Error"
| dedup _time
| eval faulting_application_path=coalesce("Faulting application path","Chemin d’accès de l’application défaillante","Pfad der fehlerhaften Anwendung")
| stats count by "Chemin d’accès de l’application défaillante"
| rename "Chemin d’accès de l’application défaillante" as Application, count as Errors
| sort -Errors limit=10

I need to count all the item in coalesce so i need something like this

| eval test=coalesce("Faulting application path","Chemin d’accès de l’application défaillante","Pfad der fehlerhaften Anwendung") 
| stats count by test
0 Karma

whrg
Motivator

It can be tricky to work with fields which contain spaces in the field name.
I think you need to use single quotation marks:

| eval faulting_application_path=coalesce('Faulting application path','Chemin d’accès de l’application défaillante','Pfad der fehlerhaften Anwendung')
| stats count as Errors by faulting_application_path
0 Karma

jip31
Motivator

thanks perfect
last question : i do the same thing for another sourcename but it doesnt works. could you help me please??

index="windows-wmi" sourcetype="WMI:Reliability" Logfile=Application SourceName="Application Hang"
| dedup _time
| eval 'Application Path'=coalesce('Application Path','Chemin d’accès de l’application','Anwendungspfad')
| stats count as Errors by 'Application Path'
| rename 'Application Path' as Application
| sort -Errors limit=10

0 Karma

jip31
Motivator

perfect! thanks

0 Karma

whrg
Motivator

I think it needs to be
| eval "Application Path" = ...
and
| stats count as Errors by "Application Path"
and
| rename "Application Path" as Application

Spaces in field names can be really tricky. Better do
eval Application_Path = ...
to avoid spaces.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...