https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336475#M7203 <P>if you want to search a word in _raw, you don't need to insert_raw=<EM>sql</EM> you can insert sql in your search (if you run a search) or "like" or "match" functions if you're using an eval.<BR /> Something like this:</P> <PRE><CODE>index=main host="prod*" earliest=1504915200 latest=1510358400 | eval layer=case(host="web" AND like(_raw,"%sql%") AND exception!="db2","Application",like(_raw,"%ERROR%"),"Queue",like(_raw,"%sql%") AND like(_raw,"%ERROR%") AND exception="db2","Dataservice"] |stats count by layer </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 15:49:16 GMT gcusello 2020-09-29T15:49:16Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336468#M7196 <P>I have all events logged under one index. The events arent categorzied. Below is the query</P> <P>index=main host="prod*" AND host= "*web*" AND _raw!="*sql*" AND exception!="*db2*" error earliest=1504915200 latest=1510358400 | eval layer="Application"| append [search index=main host="prod*" MQ _raw="<EM>ERROR</EM>" earliest=1504915200 latest=1510358400 | eval layer="Queue"]| append [search index=main host="prod*" dataservice _raw="<EM>ERROR</EM>" earliest=1504915200 latest=1510358400 | eval layer="Dataservice"]|stats count by layer</P> <P>Is it possible to combine both to single query somehting like below so that same index need not be queried twice</P> <P>index=app host="prod*" _raw!="<EM>INFO</EM>" error earliest=1504915200 latest=1510358400 |eval layer=case(host=="<EM>web</EM>" OR host=="<EM>wap</EM>" AND _raw!="" AND _raw!="<EM>sql</EM>" AND _raw!="<EM>MQ</EM>" AND exception!="<EM>db2</EM>" AND exception !="<EM>solr</EM>", "Application", raw=="<EM>MQ</EM>", "Queue") |stats count by layer</P> Tue, 29 Sep 2020 15:45:38 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336468#M7196 sangs8788 2020-09-29T15:45:38Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336469#M7197 <P>Hi<BR /> it could be possible but in your search there's something I don't understand: _raw is the full event, how you can have in it "" or only "sql" or only "MQ"?<BR /> do you want to filter events for this words?<BR /> if this is your situation, you could perform something like this (eventually, modify filters in the main search)</P> <PRE><CODE>index=app host="prod*" _raw!="INFO" error earliest=1504915200 latest=1510358400 | rex "(?&lt;layer&gt;MQ) | eval layer=if(layer="MQ","MQ","Application") | stats count by layer </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 15 Sep 2017 10:45:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336469#M7197 gcusello 2017-09-15T10:45:13Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336470#M7198 <P>Edited the query. Somehow splunk didnt display the wildcard character. The above solution would only work if there is only two categories. What if i have more categorize based on different words present in the event ?<BR /> How can i categorize and display</P> Fri, 15 Sep 2017 11:29:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336470#M7198 sangs8788 2017-09-15T11:29:58Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336471#M7199 <P>Hi sangs8788,<BR /> if you can, use other regexes to extract other fields and use case in eval condition.<BR /> can you share other examples?<BR /> Bye.<BR /> Giuseppe</P> Fri, 15 Sep 2017 11:45:57 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336471#M7199 gcusello 2017-09-15T11:45:57Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336472#M7200 <P>Here is an example with dataservice included.</P> <P>index=main host="prod*" AND host= "<EM>web</EM>" AND _raw!="<EM>sql</EM>" AND exception!="<EM>db2</EM>" error earliest=1504915200 latest=1510358400 | eval layer="Application"| append [search index=main host="prod*" MQ _raw="ERROR" earliest=1504915200 latest=1510358400 | eval layer="Queue"]| append [search index=main host="prod*" _raw="<EM>sql</EM>" _raw="ERROR" exception="<EM>db2</EM>" earliest=1504915200 latest=1510358400 | eval layer="Dataservice"]|stats count by layer</P> Tue, 29 Sep 2020 15:45:40 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336472#M7200 sangs8788 2020-09-29T15:45:40Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336473#M7201 <P>Try something like this: </P> <PRE><CODE>index=main host="prod*" earliest=1504915200 latest=1510358400 | eval layer=case(host= "web" AND _raw!="sql" AND exception!="db2","Application",MQ _raw="ERROR","Queue",_raw="sql" AND _raw="ERROR" AND exception="db2","Dataservice"] |stats count by layer </CODE></PRE> <P>Anyway, I continue to don't understand how you can have _raw equal to only one word (sql or ERROR)! <BR /> or maybe when you say "_raw!=sql" you mean the in _raw there isn't "sql"?<BR /> If this is your situation use like or match in each evaluation.<BR /> Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 15:47:42 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336473#M7201 gcusello 2020-09-29T15:47:42Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336474#M7202 <P>@cusello. It is not just sql or db2 in the query. It has * wildcard before and after. I guess splunk has removed the * and displayed<BR /> and above query doesnt return any results for me. Not sure what is wrong in there</P> Wed, 20 Sep 2017 07:31:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336474#M7202 sangs8788 2017-09-20T07:31:05Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336475#M7203 <P>if you want to search a word in _raw, you don't need to insert_raw=<EM>sql</EM> you can insert sql in your search (if you run a search) or "like" or "match" functions if you're using an eval.<BR /> Something like this:</P> <PRE><CODE>index=main host="prod*" earliest=1504915200 latest=1510358400 | eval layer=case(host="web" AND like(_raw,"%sql%") AND exception!="db2","Application",like(_raw,"%ERROR%"),"Queue",like(_raw,"%sql%") AND like(_raw,"%ERROR%") AND exception="db2","Dataservice"] |stats count by layer </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 15:49:16 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-append-field-value-to-events-based-on-its-category/m-p/336475#M7203 gcusello 2020-09-29T15:49:16Z