hello,
So i have this crazy query and i know there has to be a better way to do this, just not sure what it might be. Quick explanation of the query, the first section is simply filtering down the syslogs to only look at specific entries. Then i use some regex to pull out my fields because the log format keeps changing so i haven't had time to actually create fields. In my regex i create this field called appgr for app group. ms is milliseconds based on a response time. datacenter is which of many data centers.

So here is where the problem comes in, in order to chart the app groups by data center I end up having a crazy case statement for each app group. Which of course there are lots off. I was trying to think if there was a way to just loop through appgroup values? Not sure.

I guess in short, ultimately i would like to timechart the 90th percentile for milliseconds by data center and app group.

Hopefully it makes sense, thanks, Ethan

index=network sourcetype="syslog" "Security Zone:" "Application:" origin NOT .gif NOT *.png NOT *.js NOT *.css | dedup raw | rex "(?i) Member:(\s|)(?P[^\s^]{0,250})" | rex "(?i)Time:\s(?P[^\s^ms]{0,250})" | rex "^.?Member:.*_(?P[^\s]{0,250})\s.*Time:" | eval DC_case=case(datacenter = "foo" AND appgr="appgrpbar", "DCfoo_appgrpbar", datacenter = "foo2" AND appgr="appgrbar", "DCfoo2_appgrbar",datacenter = "foo" AND appgr="appgrpbar1", "DCfoo_appgrpbar1", datacenter = "foo1" AND appgr="appgrpbar1", "DCfoo1_appgrpbar1", datacenter = "foo" AND appgr="appgrpbar2", "DCfoo_appgrpbar2", datacenter = "foo1" AND appgr="appgrpbar2", "DCfoo1_appgrpbar2", datacenter = "foo" AND appgr="appgrpbar3", "DCfoo_appgrpbar3") | timechart span=20s perc90(ms) by DC_case