https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359713#M10892 <P>edited the original answer as well</P> Wed, 21 Mar 2018 06:32:20 GMT strive 2018-03-21T06:32:20Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359704#M10883 <P>I would like to search for the events from the same index but from different host names. I would like to create a new field names silo based on the host name I would like to name them as silo1 or silo2 by running 1 search instead of 2. Following is the result I am expecting.</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4566iD0B150E563D60555/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>How to achieve this is a single search? Please advise</P> Mon, 19 Mar 2018 20:13:59 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359704#M10883 kollachandra 2018-03-19T20:13:59Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359705#M10884 <P>Can you share the queries that are getting you these results and some examples of the events being returned by them?</P> Mon, 19 Mar 2018 21:25:38 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359705#M10884 elliotproebstel 2018-03-19T21:25:38Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359706#M10885 <P>There are different options based on what your data looks like. If you really only have 2 hosts then you can do something simple like this. You can create a new field called silo and then set it to the correct value based on which host the event is from.</P> <PRE><CODE>host=Host1 OR host=Host2 | eval silo=case(host="Silo1Critera", "Silo1", host="Silo2Critera", "Silo2") | stats count, avg(time_taken) by cs_uri_stem, silo </CODE></PRE> Mon, 19 Mar 2018 23:46:12 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359706#M10885 FeatureCreeep 2018-03-19T23:46:12Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359707#M10886 <P>I really appreciate your reply. This is same exact way I did initially but I wasn't getting any result.<BR /> index=iis host=server1 OR host=server3 OR host=server2 OR host=server4 <BR /> | eval silo=case(host=server1 OR host=server3 , "Silo1", <BR /> host=host=server2 OR host=server4 , "Silo2") <BR /> | stats count, avg(time_taken) by cs_uri_stem silo<BR /> | table count silo</P> <P>The query I am using now is:<BR /> index = xyz ( host=server1 OR host=server3)<BR /> | stats count avg(time_taken) by cs_uri_stem <BR /> | eval Silo = if(1==1, "Silo1", "NULL") <BR /> | eval avg(time_taken)=round('avg(time_taken)',2) <BR /> | append <BR /> [ search index = iis ( host=server2 OR host=server4 )<BR /> | stats count avg(time_taken) by cs_uri_stem <BR /> | eval Silo = if(1==1, "Silo2", "NULL") <BR /> | eval avg(time_taken)=round('avg(time_taken)',2)] <BR /> | table cs_uri_stem count avg(time_taken) Silo</P> <P>But this query runs 2 searches, which I would like to avoid 2 searches and implement it in 1 search.</P> Tue, 29 Sep 2020 18:36:12 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359707#M10886 kollachandra 2020-09-29T18:36:12Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359708#M10887 <P>index = xyz ( host=server1 OR host=server3)<BR /> | stats count avg(time_taken) by cs_uri_stem <BR /> | eval Silo = if(1==1, "Silo1", "NULL") <BR /> | eval avg(time_taken)=round('avg(time_taken)',2) <BR /> | append <BR /> [ search index = iis ( host=server2 OR host=server4 )<BR /> | stats count avg(time_taken) by cs_uri_stem <BR /> | eval Silo = if(1==1, "Silo2", "NULL") <BR /> | eval avg(time_taken)=round('avg(time_taken)',2)] <BR /> | table cs_uri_stem count avg(time_taken) Silo</P> Tue, 29 Sep 2020 18:36:14 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359708#M10887 kollachandra 2020-09-29T18:36:14Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359709#M10888 <P>Try this<BR /> index = xyz <BR /> | stats count avg(time_taken) by cs_uri_stem, host<BR /> | eval Silo = case(1==1 AND (host=server1 OR host=server3), "Silo1", 1==1 AND (host=server2 OR host=server3), "Silo2", "NULL") <BR /> | eval avg(time_taken)=round('avg(time_taken)',2) <BR /> | table cs_uri_stem count avg(time_taken) Silo</P> Tue, 29 Sep 2020 18:34:58 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359709#M10888 strive 2020-09-29T18:34:58Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359710#M10889 <P>Try this<BR /> <CODE>index = xyz <BR /> | stats count avg(time_taken) by cs_uri_stem, host<BR /> | eval Silo = case(1==1 AND (host=server1 OR host=server3), "Silo1", 1==1 AND (host=server2 OR host=server3), "Silo2", true(), "NULL") <BR /> | eval avg(time_taken)=round('avg(time_taken)',2) <BR /> | table cs_uri_stem count avg(time_taken) Silo</CODE></P> Tue, 20 Mar 2018 15:35:56 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359710#M10889 strive 2018-03-20T15:35:56Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359711#M10890 <P>getting the below error. Error in 'eval' command: The arguments to the 'case' function are invalid.</P> Tue, 20 Mar 2018 15:56:14 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359711#M10890 kollachandra 2018-03-20T15:56:14Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359712#M10891 <P>Modified Search:</P> <P><CODE>index = xyz <BR /> | stats count avg(time_taken) by cs_uri_stem, host<BR /> | eval Silo = case(1==1 AND (host=server1 OR host=server3), "Silo1", 1==1 AND (host=server2 OR host=server3), "Silo2", true(), "NULL") <BR /> | eval avg(time_taken)=round('avg(time_taken)',2) <BR /> | table cs_uri_stem count avg(time_taken) Silo</CODE></P> <P>Tested similar search locally and works<BR /> <CODE>index=XYZ | stats count avg(bytes) by column1 | eval Silo = case(1==1 AND column1="CACHE_MISS", "Silo1", 1==1 AND (column1="CACHE_MEM_HIT" OR column1="CACHE_REVALIDATED_MEM_HIT"), "Silo2", true(), "NULL")</CODE></P> Wed, 21 Mar 2018 06:31:10 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359712#M10891 strive 2018-03-21T06:31:10Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359713#M10892 <P>edited the original answer as well</P> Wed, 21 Mar 2018 06:32:20 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359713#M10892 strive 2018-03-21T06:32:20Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359714#M10893 <P>I am getting NULL for everything</P> Wed, 21 Mar 2018 19:03:41 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359714#M10893 kollachandra 2018-03-21T19:03:41Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359715#M10894 <P>How about this:</P> <PRE><CODE>index=xyz host=server1 OR host=server2 OR host=server3 OR host=server4 | stats values(host) AS host, count, avg(time_taken) AS avg_time_taken BY cs_uri_stem | eval Silo=case(host="server1" OR host="server3", "Silo1", host="server2" OR host="server4", "Silo2", 1=1, "SILO NOT FOUND") | eval avg_time_taken=round(avg_time_taken, 2) | table cs_uri_stem count avg_time_taken Silo </CODE></PRE> Wed, 21 Mar 2018 19:16:52 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359715#M10894 elliotproebstel 2018-03-21T19:16:52Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359716#M10895 <P>That works!</P> <P>Thank you so much.</P> Wed, 21 Mar 2018 19:40:55 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359716#M10895 kollachandra 2018-03-21T19:40:55Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359717#M10896 <P>index=xyz host=server1 OR host=server2 OR host=server3 OR host=server4<BR /> | stats values(host) AS host, count, avg(time_taken) AS avg_time_taken BY cs_uri_stem<BR /> | eval Silo=case(host="server1" OR host="server3", "Silo1", host="server2" OR host="server4", "Silo2", 1=1, "SILO NOT FOUND")<BR /> | eval avg_time_taken=round(avg_time_taken, 2)<BR /> | table cs_uri_stem count avg_time_taken Silo</P> Tue, 29 Sep 2020 18:37:07 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359717#M10896 kollachandra 2020-09-29T18:37:07Z https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359718#M10897 <P>You're welcome. I've converted it to an answer.</P> Wed, 21 Mar 2018 19:43:24 GMT https://community.splunk.com/t5/Alerting/alert-based-on-different-keywords-sources-but-from-the-same/m-p/359718#M10897 elliotproebstel 2018-03-21T19:43:24Z