Reporting

How to group hosts for reporting?

the_wolverine
Champion

I have hundreds of hosts within a tier and would like to combine those hosts for the purposes of reporting. For example, I have the following hosts:

web001.mydomain.com
web002
web003
web004
...
web999

I'd like to report all web hosts as web_tier. So I can run a report for users who access hosts in the web_tier. How can I do this?

0 Karma
1 Solution

chris
Motivator

Hi

We have a DB that stores this type of information at our company and we use lookups to add that kind of information to our events.

I guess you could try this eval, and use the tier field for your report:

| eval tier=replace(source,"\d\d\d","_tier")

But I'm guessing that this is probably not what you're looking for.

Chris

View solution in original post

chris
Motivator

Hi

We have a DB that stores this type of information at our company and we use lookups to add that kind of information to our events.

I guess you could try this eval, and use the tier field for your report:

| eval tier=replace(source,"\d\d\d","_tier")

But I'm guessing that this is probably not what you're looking for.

Chris

araitz
Splunk Employee
Splunk Employee

Another way to do this: ... | replace web* with web_tier in host | ...

chris
Motivator

I'm glad if that helped

0 Karma

the_wolverine
Champion

Yes, Chris! This is what I needed! I used the following syntax to match multiple patterns:

| eval tier=replace(host,"(\d\d\d.mydomain.com|\d+.sub.mydomain.com)","_tier")

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...