Splunk Search

column name updated how to keep both query results ini same dashboard

surekhasplunk
Communicator

Hi,

index="spectrum"  * | eval foo=_cd | rename "ns1.alarm.ns1.attribute{}.$" as value "ns1.alarm.ns1.attribute{}.@id" as attr | table _time foo attr value| eval id=_cd | eval value=mvzip(attr,value) | mvexpand value | eval attr=mvindex(split(value,","),0) | eval value=mvindex(split(value,","),1) | lookup attr_alarm_spectrum.csv attr OUTPUT field | table _time,field,value,foo | fillnull field,value,foo  | eval {field}=value | fields - field,value | stats values(*) as * by _time,foo | fields - foo  | eval Severity=if(Severity="3","Critical",if(Severity="2","Major","Minor")) | search Severity=Minor (Name="***" OR IP="*")  | lookup  State_of_the_Asset_List_on_Unicorn.csv Ip as IP output  "Infrastrucure Name" | table _time, Severity,Name,IP,Secure_Domain,Type,Title,Landscape,Acknowledged,Ticket_ID "Infrastrucure Name" | sort -_time

In this query i was using ns1.alarm.ns1.attribute{} and ns1.alarm.ns1.attribute{}.@id but now due to the tool upgrade the json data which am receiving has got changed to alarms.attribute{} and alarm.attribute{}.@id. So if i go ahead and update this query then post upgrade data is only visible but not before upgrade as the column names were different.

So what do you suggest here to do ? to be able to see all the data with same 1st query ?

Tags (2)
0 Karma

jawaharas
Motivator

Instead of the 'rename' command, you can use 'if' and 'isnotnull' function as shown below to get data from both the fields.

index="spectrum" * 
| eval foo=_cd 
| eval value=if(isnotnull(ns1.alarm.ns1.attribute{}),ns1.alarm.ns1.attribute{},alarms.attribute{})
| eval attr=if(isnotnull(ns1.alarm.ns1.attribute{}.@id),ns1.alarm.ns1.attribute{}.@id,alarm.attribute{}.@id)
| table _time foo attr value 
| ...
0 Karma

surekhasplunk
Communicator

Hi @jawaharas,

My queries are working perfect. Its just that with ns1.alarm.ns1.attribute data is coming previous to 18th july and with alarm.attribut data is coming post 18th July. As after upgrade of the tool the names got changed.

0 Karma

jawaharas
Motivator

Try the suggested query. It should return data from both the fields (before and after the date you mentioned)

0 Karma

jawaharas
Motivator

@surekhasplunk
Can you accept the answer if it's helped you? Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...