https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516701#M145238 <P>And another option is to use tags for those deployments. Just add tag as wanted deployment per server.</P><P>r. Ismo</P><P><A href="https://www.splunk.com/view/SP-CAAAGYJ" target="_blank">https://www.splunk.com/view/SP-CAAAGYJ</A></P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Abouttagsandaliases" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Abouttagsandaliases</A></P><P>&nbsp;</P> Fri, 28 Aug 2020 13:36:18 GMT isoutamo 2020-08-28T13:36:18Z https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516654#M145223 <P>Hi all,</P><P>I searching web server's centralized logs and getting results from multiple servers. But those servers belongs to different deployments. For example:</P><P>- srv1, srv7, srv9, ... belongs to deployment Fin</P><P>- srv15, srv19, srv21, ... belongs to deployment Jpn</P><P>- srv100, srv 102, srv110, ... belongs to deployment Bra</P><P>On the results I can see the hosts, but I'm looking possibilities to group the servers into own deployments. Is that something I could do during the search by giving an array where servers are listed, or some other way? Or is this something I should do earlier?</P> Fri, 28 Aug 2020 08:29:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516654#M145223 Petri-X 2020-08-28T08:29:40Z https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516655#M145224 <LI-CODE lang="markup">... | eval deployment=case(in(server,"srv1","srv7","srv9"),"Fin",in(server,"srv15","srv19","srv21"),"Jpn",in(server,"srv100","srv102","srv110"),"Bra")</LI-CODE> Fri, 28 Aug 2020 08:51:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516655#M145224 ITWhisperer 2020-08-28T08:51:10Z https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516657#M145225 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225562">@Petri-X</a>,<BR /><BR />2 of many options:<BR /><BR />1.) Create a Lookup table with 2 columns: host, deployment.<BR />In your SPL you would then add this to add the deployment:<BR /><BR /></P><LI-CODE lang="markup">| lookup host_deployment.csv host OUTPUT deployment</LI-CODE><P>&nbsp;</P><P>2.) You could use case, I guess makes only sense if the list is rather small...<BR /><BR /></P><LI-CODE lang="markup">| eval deployment=case(host="srv1", "Fin", host="srv15", "Jpn")</LI-CODE><P><BR />The case option could be even made a bit smarter, if you extract the number of the server, and then work with ranges....but in general I would work with the 1.) option .<BR /><BR />BR<BR />Ralph<BR />--<BR /><EM>Karma and/or Solution tagging appreciated.</EM></P> Fri, 28 Aug 2020 08:56:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516657#M145225 rnowitzki 2020-08-28T08:56:27Z https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516659#M145226 <P>Ooh !! This was super quick !!</P><P>Huge thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/64317">@rnowitzki</a>&nbsp;and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;for your help !</P><P>I believe I'll use the case option !</P> Fri, 28 Aug 2020 09:08:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516659#M145226 Petri-X 2020-08-28T09:08:52Z https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516701#M145238 <P>And another option is to use tags for those deployments. Just add tag as wanted deployment per server.</P><P>r. Ismo</P><P><A href="https://www.splunk.com/view/SP-CAAAGYJ" target="_blank">https://www.splunk.com/view/SP-CAAAGYJ</A></P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Abouttagsandaliases" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Abouttagsandaliases</A></P><P>&nbsp;</P> Fri, 28 Aug 2020 13:36:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-group-search-results/m-p/516701#M145238 isoutamo 2020-08-28T13:36:18Z