Event Types on a Summary Index

srussellnpr · ‎08-30-2010

Team,

I have a summary index that looks like this:

<search string> | sistats count by UserAgent

I also have a collection of event types that group various UserAgents, such that:

[ua_iPhone]
UserAgent="iPhone"

[ua_iPad]
UserAgent="iPad"

I'd like to query the si and end up with a list of top user agents, sort of like:

index="summary" search_name="si_useragent" | stats count by UserAgent | eval eventtype=mvfilter(match(eventtype, "ua\_.*")) | top eventtype

Is this possible? Advisable?

Thanks, -S.

gkanapathy · ‎08-30-2010

Stephen has given you an answer. As an aside, I recommend use of a lookup table rather than eventtypes for this use case.

srussellnpr · ‎08-31-2010

Ah, precisely! It looks more like:

[ua_iphone] UserAgent="iPhone"

However, I was considering writing a script in python to create a dynamic lookup table, but then I heard about this eventtype approach.

Stephen_Sorkin · ‎08-30-2010

I'd normally recommend a lookup as well, but my guess is that the actual eventtypes have wildcards, which CSV lookups don't play well with.

Stephen_Sorkin · ‎08-30-2010

Yes, you should be able to do this by manually running the typer command after the stats count. For example:

index="summary" search_name="si_useragent" | stats count by UserAgent | typer | eval eventtype=mvfilter(match(eventtype, "ua_.*")) | top eventtype