On various occasions I find myself writing formulas like (simplified version):
eval cat=case(like(CC, "TenantA%"), "ABC", like(CC, "TenantB%"), "BBC", true(), "Enterprise")
Or mapping the hosts to regions
eval site=case(like(host, "%-au%"), "AWS US", like(host, "%-ac%"), "AWS CA", like(host, "%-ae%"), "AWS EU", true(), "UnKnown")
Sometime I use the same mappings across many reports dashboards.
Copy/paste does not cut it. Also sometimes they need to get updated. Any suggestion?
Search macros will help you;
View solution in original post
I'd want to try it to be certain, but it sounds like it could be a job for a lookup... with WILDCARD match type defined for some columns:https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/m-p/9...
Did not know about the search macros.
They are very clunky but they do the job!