topic Event Types on a Summary Index in Knowledge Management

Event Types on a Summary Index

srussellnpr — Tue, 31 Aug 2010 01:04:44 GMT

Team,

I have a summary index that looks like this:

<search string> | sistats count by UserAgent

I also have a collection of event types that group various UserAgents, such that:

[ua_iPhone]
UserAgent="iPhone"

[ua_iPad]
UserAgent="iPad"

I'd like to query the si and end up with a list of top user agents, sort of like:

index="summary" search_name="si_useragent" | stats count by UserAgent | eval eventtype=mvfilter(match(eventtype, "ua\_.*")) | top eventtype

Is this possible? Advisable?

Thanks, -S.

Stephen_Sorkin — Tue, 31 Aug 2010 03:36:01 GMT

Yes, you should be able to do this by manually running the typer command after the stats count. For example:

index="summary" search_name="si_useragent" | stats count by UserAgent | typer | eval eventtype=mvfilter(match(eventtype, "ua_.*")) | top eventtype

gkanapathy — Tue, 31 Aug 2010 03:39:50 GMT

Stephen has given you an answer. As an aside, I recommend use of a lookup table rather than eventtypes for this use case.

Stephen_Sorkin — Tue, 31 Aug 2010 05:24:29 GMT

I'd normally recommend a lookup as well, but my guess is that the actual eventtypes have wildcards, which CSV lookups don't play well with.

srussellnpr — Tue, 31 Aug 2010 20:16:14 GMT

Ah, precisely! It looks more like:

[ua_iphone] UserAgent="iPhone"

However, I was considering writing a script in python to create a dynamic lookup table, but then I heard about this eventtype approach.