i kind of already have this working but wondering what else can be done with this?what other approaches i can implement?
So,In order to simplify analysis I have been testing a search macro and I’m wondering of some of the features could be implemented in better ways in Splunk. It would be nice if we just inherently had these more “friendly” fields.
I created a Search macro named “SAP” which:
• Filters to only return where index like “stone*” to only show our logs
• Converts host name to environment (DEV, QA, UAT, PRODINT, PROD)
Available as a new field named “environment”
• Converts host name to application (FAM, KLM App,KLM Web)
Available as a new field named “application”
• Converts host name to friendlyhost (DEV FAM, DEV KLM App, DEV KLM Web, QA FAM, etc…)
Available as a new field named “friendlyhost”
one of the examples i use is
SAP | timechart count by friendlyhost or by environment/application
this works fine, but i was wondering if there is a more elegant way of doing this.If i can build these “environment”, “application”, “friendlyhost” fields behind the scenes so i don’t need to use the search macro as the macro complicates the query a bit.
Thanks for all the help
Calling the macro AFTER the search condition will be costly. (as all events will be returned, then passed to the macro for later filtering)
It may be better to make one macro that goes in the main search condition (before the | ), to do the filter.
For the host/envitonment extractions, if they are simple regex, you could use an automated field extraction instead of a macro.
For the host/environment/application conversion to a friendly name, you could also use an automated lookup.
Thanks yannk.automated field extraction will not work for me.i have 14 servers with long ass names and when i want to bring up a report for all these environments i have to type every single one of those server names in my search.maybe i can create an eventtype for some of the environments.
Your comment (which shouldn't have been posted as an answer) doesn't make too much sense to me.
The macro you described in your question only populates some additional fields, derived from the host field. That sounds like a perfect case to implement using automated extractions and/or lookups.
Why would implementing these conversions as automated lookups/extractions rather than using the macro mean you have to type every single servername into your search?