Solved: If my field value name changed, can I still search...

abi2023 · ‎05-02-2023

my field value name got modify. under network config field name. field value used to be "port 80 blocked"
now it got changed to "port 80 not allowed"
I don't want to lose my history data.
is any way I can use SPL to make "port 80 blocked" and "Port 80 not allowed" same so I can show in chart all the data.

abi2023 · ‎05-02-2023

basesearch | replace "port 80 blocked" with "port 80 not allowed" in network_config

this SPL change the value

View solution in original post

abi2023 · ‎05-02-2023

basesearch | replace "port 80 blocked" with "port 80 not allowed" in network_config

this SPL change the value

richgalloway · ‎05-02-2023

I would be interested in finding out how the value changed, but to change it back, use an eval command with if.

| eval network_config = if(network_config="port 80 not allowed","port 80 blocked", network_config)

---
If this reply helps you, Karma would be appreciated.

abi2023 · ‎05-02-2023

I use if and replace command but when use

| eval network_config = if(network_config="port 80 not allowed","port 80 blocked", network_config)

after this I do not see no value for the field network_config.

richgalloway · ‎05-02-2023

I'm not sure how that could happen. The value of network_config is set by the eval command to either "port 80 blocked" or the original value. Therefore, if network_config is null after the eval then it must have been null before the eval.

Please share the full query to better help us understand the problem.

---
If this reply helps you, Karma would be appreciated.

If my field value name changed, can I still search to chart all the data?

metadata

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...