topic Re: how to differentiate single sourcetype based on 3 different OS using eval in Getting Data In

how to differentiate single sourcetype based on 3 different OS using eval

dtccsundar — Thu, 25 Nov 2021 06:35:07 GMT

I have a single sourcetype where i need to differentiate the same sourcetype into 3 different categories based on OS field .I tried using append but since takes lot of memory by calling same sourcetype 3 different times ,i need a different approach instead of append.

My code :

index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search OS="Linux" OR OS="Solaris" AND Environment="PSE" OR Environment="Prod" AND Eligibility="Upper" AND Status="Installed"
| eval group="Unix Server"

| append
[| search index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search OS="Windows" AND Environment="PSE" OR Environment="Prod" AND Eligibility="Upper" AND Hardware_Status="Installed"
| eval group="Windows "]|stats count by group

Can this be merged into one single query without using append ? This will help me to not running same sourcetype 2 times.

Re: how to differentiate single sourcetype based on 3 different OS using eval

scelikok — Thu, 25 Nov 2021 06:56:34 GMT

Hi @dtccsundar,

You can create group field using one more case like below;

index=A sourcetype=Server | fillnull value="" | eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others") | eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment) | search OS IN ("Linux","Solaris","Windows") (Environment="PSE" OR Environment="Prod") Eligibility="Upper" (Status="Installed" OR Hardware_Status="Installed") | eval group=case((OS="Linux" OR OS="Solaris") AND Status="Installed","Unix Server",(OS="Windows" OR OS="Solaris") AND Hardware_Status="Installed","Windows") | stats count by group

Re: how to differentiate single sourcetype based on 3 different OS using eval

renjith_nair — Thu, 25 Nov 2021 07:00:03 GMT

You can combine using another eval for group.

For e.g

index=A sourcetype=Server | fillnull value="" | eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others") | eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment) | search (Environment="PSE" OR Environment="Prod") AND Eligibility="Upper" AND Status="Installed" | eval group = case(OS="Windows","Windows",OS="Linux" OR OS="Solaris","Unix Server",1=1,"Unknown") | stats count by group

Re: how to differentiate single sourcetype based on 3 different OS using eval

dtccsundar — Thu, 25 Nov 2021 09:24:04 GMT

This Worked !! Thank you .