I hope it's possible but maybe I'm reaching here. I've not found anything that can do what I'm trying to do. I've even tried to just duplicate the field and use the duplicate instead of the original and still no luck. I've tried replacing | stats max(AgentVer) with | eval TA=max(AgentVer), I've tried chart instead of stats, and etc. Help joining two different sourcetypes from the same index that both have a.I. | eval Status=if(AgentVer=TA, "True","False")Īgain, the above are just examples of what I've tried. Using Splunk: Splunk Search: join search with condition erid. | eval Status=if(AgentVer=TAV, "True","False") For the second sourcetype, st2, I have the latest tags state for each hostname, and here Ive got more hostnames than in the first sourcetype. For the first sourcetype, lets call it st1, I have the list of people removing certain tags from hostnames in McAfee. Here's an example of what I have tried, but this is not exhaustive because I've tried 500 different ways. I need to make a report with 2 different sourcetypes. I've tried all kinds of ways to extract that version number and put it into its own field and then do the comparison and nothing I've tried works. Where this gets complicated is when I try to isolate the latest version. Splunk, Splunk>, Turn Data Into Doing, Data-to-Everything, and. Join 2 sourcetype on on field if time difference between 2 records is less than 3 seconds anujshah. But I wan to join records if and only if time difference if less than 3. I can get exactly what I need using the query below, but it needs to be manually updated every time the Agent version is updated. So I have 2 different source types which I can join using DEVICE field. To explain in more detail: I'm wanting the query to use the latest version of the Trellix/McAfee Agent reported in Splunk and then compare that value against the full set and return True/False if the numbers match. My end goal is to create a query that produces a True/False (or equivalent) result for each value when compared to the max value of the same field. Also, I'm wanting to make it as future proof as possible so it "just works" with little need to update or modify. Hope this helps anyone who might run into the same problems.I'm wanting to avoid using saved searches and lookup tables as much if possible so it's easily maintainable by anyone on the team. This way it doesn't matter what happens first with your data cause the source will always stay the same. In nf your stanza shouldn't address the sourcetype "weblog" but rather the source from which your data originates. BUT when this happens they are already sourcetype=access_combined and not weblog anymore so it won't work or only one of those transforms. Im not sure what youre looking to do, but heres a made-up example showing the basic idea: sourcetype'accesslog1' OR search sourcetype'accesslog2' stats first (someField) first (someOtherField) sum (bytes) by UniqueID. That way it only takes the first number after a quotation mark and a blank spaceĪlso if you try to change the index AND the sourcetype for one input you might run into problems since splunk could potentially first address the new sourcetype and then try to send events into new indexes given the regex above. Search 1: index'internal' source'metrics.log' perindexthruput seriesautoshell hostlelsplunkix eval GBkb/ (10241024) timechart span12h sum (GB) as GB by series Results: (example - 500k+ rows returned) time raw sourcetype GB 07:04:33.307 ABC ship 0.0000264551490559 07:04:31.168 LMN rum 0. there are two other ways to do it that are usually better - transaction and stats. To prevent this you could use this REGEX instead: Review the pending changes and click Submit. Adjust the remaining default values, if required, and click Review. Choose an App context for example, Search & Reporting (search). It takes up events that have maybe a status 200 followed by 404 also. See the examples in Configure NXLog to collect and process logs for more information. First: one minor change to the REGEX for the 404 status events:
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |