Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get the license usage of other hosts which do not match a pattern?

kiran_mh
Explorer
‎09-20-2016 12:22 AM

Hi,

We have the following query:

index =_internal source =*license_usage.log type ="Usage" | eval Team =case(h like "%-ec2%" OR h like "%-usnw%" OR h like "%-usw%" OR h like "IP-%" OR h like "%-EU%" OR h like "%-SYD%" OR h like "%-BR%" OR h like "%-AP%" OR h like "%-JP%" OR h like "%-load%" OR h like "ens-%", "AWS", h like "%-IAD" OR h like "%-FRA" OR h like "%-LAS" OR h like "%-AMS" OR h like "%-STAGE", "COLO" , h like "STORAGE-BIGDATA-%" OR h like "SF-AZUZE-%" OR h like "STORAGE-USE-%" OR h like "STORAGE-USNC-%" OR h like "STORAGE-APE-%" OR h like "STORAGE-EUN-%", "AZURE") | eval GB=(b/(1024*1024*1024)) | stats sum(GB) by Team | rename sum(GB) as License_Usage_GB | sort -License_Usage_GB

which gives us the license usage of hosts in a particular team,

we want to get the license usage of other hosts which do not match the given patterns above.

Thanks in advance.........

Tags (1)
0 Karma
Reply

inventsekar
Super Champion
‎09-20-2016 06:42 AM

On the eval case statement, we can add a default match for all others as 1=1, "other_teams"

index =internal source =*license_usage.log type ="Usage" | eval Team =case(h like "%-ec2%" OR h like "%-usnw%" OR h like "%-usw%" OR h like "IP-%" OR h like "%-EU%" OR h like "%-SYD%" OR h like "%-BR%" OR h like "%-AP%" OR h like "%-JP%" OR h like "%-load%" OR h like "ens-%", "AWS", h like "%-IAD" OR h like "%-FRA" OR h like "%-LAS" OR h like "%-AMS" OR h like "%-STAGE", "COLO" , h like "STORAGE-BIGDATA-%" OR h like "SF-AZUZE-%" OR h like "STORAGE-USE-%" OR h like "STORAGE-USNC-%" OR h like "STORAGE-APE-%" OR h like "STORAGE-EUN-%", "AZURE",1=1, "othe teams") | eval GB=(b/(1024*1024*1024)) | stats sum(GB) by Team | rename sum(GB) as License_Usage_GB | sort -License_Usage_GB

0 Karma
Reply

JDukeSplunk
Builder
‎09-20-2016 05:57 AM

I think that a 1=1, "Other" would work for you. 

"STORAGE-EUN-%", "AZURE", h 1=1, "Other") | eval GB=

Or maybe 

|search NOT Team=*
0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...