Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to display raw result if no specific result is available?

jalfrey
Communicator
‎08-30-2013 02:14 PM

I'm doing a pretty basic search which looks for a "connection closed" message and displays a variable called app. I have an automatic lookup which converts the app value to an application name. Not all of the values can be looked up in my lookup table. How do I run a search and display the application name (app_name) and if that's not available then display the app (numeric value)?

Here is the search I have made that calculates bytes sent/received and displays bot the app name and the app numeric value.

app=* "Connection Closed" | stats sum(sent) sum(rcvd) by dst_ip app | lookup sonicwall_app_id app_id as app OUTPUT app_name as Application | fields dst_ip, Application, app, sum(sent), sum(rcvd) | rename dst_ip as "Destination IP" | rename app to "App ID" | rename sum(sent) as "Bytes Sent" | rename sum(rcvd) as "Bytes Received"

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎08-30-2013 02:42 PM

Create a field that uses either the app_name if it's not null, otherwise use app_id:

... | eval yournewfield = coalesce(app_name, app_id) | ...

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎08-30-2013 02:42 PM

Create a field that uses either the app_name if it's not null, otherwise use app_id:

... | eval yournewfield = coalesce(app_name, app_id) | ...
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎08-30-2013 03:22 PM

+1 on a nice use of coalesce!

0 Karma
Reply
Solved! Jump to solution

jalfrey
Communicator
‎08-30-2013 03:08 PM

my final search looks like:

index=sonicwall app=* "Connection Closed" | stats sum(sent) sum(rcvd) by dst_ip app | lookup sonicwall_app_id app_id as app OUTPUT app_name | eval "Application" = coalesce(app_name, app) | fields dst_ip, "Application", sum(sent), sum(rcvd) | rename dst_ip as "Destination" | rename sum(sent) as "Sent Bytes" | rename sum(rcvd) as "Received Bytes"

0 Karma
Reply
Solved! Jump to solution

jalfrey
Communicator
‎08-30-2013 03:08 PM

that worked great! Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...