So i have this crazy query and i know there has to be a better way to do this, just not sure what it might be. Quick explanation of the query, the first section is simply filtering down the syslogs to only look at specific entries. Then i use some regex to pull out my fields because the log format keeps changing so i haven't had time to actually create fields. In my regex i create this field called appgr for app group. ms is milliseconds based on a response time. datacenter is which of many data centers.
So here is where the problem comes in, in order to chart the app groups by data center I end up having a crazy case statement for each app group. Which of course there are lots off. I was trying to think if there was a way to just loop through appgroup values? Not sure.
I guess in short, ultimately i would like to timechart the 90th percentile for milliseconds by data center and app group.
Hopefully it makes sense, thanks, Ethan
index=network sourcetype="syslog" "Security Zone:" "Application:" origin NOT .gif NOT *.png NOT *.js NOT *.css | dedup raw | rex "(?i) Member:(\s|)(?P
Didn't even think of that thanks.
So the logic on my example is the same. The problem is the fields return values like 1234 which mean Data Center A. So I was using the case statement to make "friendly" names, if I simply string them together with "DC".datacenter."_".appgrp the problem is it would like DC3456_apA, which unfortunately doesn't mean much to our operations partners.
Lookups work perfect though, I created a quick test and it is does exactly what i need. Thanks for the help, Ethan