I have a summary index that looks like this:
<search string> | sistats count by UserAgent
I also have a collection of event types that group various UserAgents, such that:
I'd like to query the si and end up with a list of top user agents, sort of like:
index="summary" search_name="si_useragent" | stats count by UserAgent | eval eventtype=mvfilter(match(eventtype, "ua\_.*")) | top eventtype
Is this possible? Advisable?
Stephen has given you an answer. As an aside, I recommend use of a lookup table rather than eventtypes for this use case.
Ah, precisely! It looks more like:
However, I was considering writing a script in python to create a dynamic lookup table, but then I heard about this eventtype approach.
I'd normally recommend a lookup as well, but my guess is that the actual eventtypes have wildcards, which CSV lookups don't play well with.
Yes, you should be able to do this by manually running the typer command after the stats count. For example:
index="summary" search_name="si_useragent" | stats count by UserAgent | typer | eval eventtype=mvfilter(match(eventtype, "ua_.*")) | top eventtype