Archive

Consolidation of tstats results.

Contributor

We're performing a migration of our syslog infrastructure and I need to get some metrics that show progress. Since the legacy environment would have a source name of "/data/device/path/to/file" and the new environment has a source name of "/syslog/device/path/to/file" I'm trying to manipulate the results so that

1) if the source name begins with: /data ... set syslogsource = "OldSyslog"
2) if the source name begins with: /syslog ... set syslog
source = "NewSyslog"

But my SPL is clearly flawed here as the 'count' from a 'source' doesn't get passed to syslog_source.

| tstats count WHERE index=* (source="/data/*"  OR source="/syslog/*") earliest=-6d@d latest=@d by _time span=1d source
| eval syslog_source=case(match(source,"/syslog/*"),"NewSyslog",match(source,"/data/*"),"OldSyslog") 
| xyseries _time, syslog_source, count

The goal here is to just consolidate the count of all sources matching "/data" or "/syslog" into counts of 'syslog_source', but I'm not sure how to pass those counts along.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi pkeller,

just checked and this basic example works for me:

| tstats count WHERE index=* (source="/opt/*" OR source!="/opt/*") earliest=-6d@d latest=@d by _time span=1d source 
| eval opt_source=case(match(source,"opt"),"IsOpt",match(source,"[^(?:opt)]"),"IsNotOpt") 

try to use a different regex match and add a catch all statement at the end to get events that don't match (for what ever reason), for example:

| eval syslog_source=case(match(source,"/syslog"),"NewSyslog",match(source,"/data"),"OldSyslog", 1=1, "unknown")

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi pkeller,

just checked and this basic example works for me:

| tstats count WHERE index=* (source="/opt/*" OR source!="/opt/*") earliest=-6d@d latest=@d by _time span=1d source 
| eval opt_source=case(match(source,"opt"),"IsOpt",match(source,"[^(?:opt)]"),"IsNotOpt") 

try to use a different regex match and add a catch all statement at the end to get events that don't match (for what ever reason), for example:

| eval syslog_source=case(match(source,"/syslog"),"NewSyslog",match(source,"/data"),"OldSyslog", 1=1, "unknown")

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

Ultra Champion

index= (source="/data/" OR source=/syslog/) some wildcards and double quotes maybe? ; -)

0 Karma

Contributor

They were in there ... just didn't format it as a code snippet.

0 Karma

Ultra Champion

oh - I see

0 Karma