Good morning to you all and happy Thursday!
I have a set of data called server_os which contains CentOS 5, CentOS 6 and CentOS 7.
As CentOS 5 is end of life and so will be centos 6 soon, I want to create a radio button for my analyst that once they click on "EOL" as shown here; it shows specific data for those 2 (or more) servers in the below graphs, tables etc.
Windows was easy because “server_os”=win 2008
What is the best way to get around this?
I’ve tried:
index=u* server_os=*
| eval EOL=case(match(server_os,"(?i)CentOS 4/5 or later \(64-bit\)"),1 ,match(server_os,"(?i)CentOS 6 \(64-bit\)"),1)
| search EOL=1
| dedup host, server_os
| rename server_os AS EOL
| table EOL
Just getting stuck so any ideas are welcome.
Note for Windows this worked:
Static does not seem to accept multiple values and adding another EOL underneath.
Note II that I adjusted the value nicer as this was a test.
Thanks!
Simplifying a bit a here; versus what I have done in my environment to do basically the same thing.
My goal was to only have to edit a lookup as we find new OS variants or support changes; no editing dashboards or search code.
Write a search that identifies all the OS's in your environment and test tabling to a table
create an alert (only have to update if more than 1 result)
| inputlookup os_supported_lookup.csv
| append [ search index=u* server_os=*
| stats count by server_os
| rename server_os as os
| table os ]
| stats values(supported) as supported by os
| eval supported=if(supported>0, 1, 0)
| table os, supported
| outputlookup os_supported_lookup.csv
I then use the lookup editor to edit manage update OS's as they end support. Also any new os's found automatically get added to the list.
Then you can setup your search filter to say all / eol what ever
ALL=*
supported=1
eol=0
setup search
index=u* server_os=*
| lookup os OUTPUT supported
| where support=$supported$
Excellent and simple solution, which I could figure out as well. But I didn't! Thanks @kennetkline
Simplifying a bit a here; versus what I have done in my environment to do basically the same thing.
My goal was to only have to edit a lookup as we find new OS variants or support changes; no editing dashboards or search code.
Write a search that identifies all the OS's in your environment and test tabling to a table
create an alert (only have to update if more than 1 result)
| inputlookup os_supported_lookup.csv
| append [ search index=u* server_os=*
| stats count by server_os
| rename server_os as os
| table os ]
| stats values(supported) as supported by os
| eval supported=if(supported>0, 1, 0)
| table os, supported
| outputlookup os_supported_lookup.csv
I then use the lookup editor to edit manage update OS's as they end support. Also any new os's found automatically get added to the list.
Then you can setup your search filter to say all / eol what ever
ALL=*
supported=1
eol=0
setup search
index=u* server_os=*
| lookup os OUTPUT supported
| where support=$supported$