- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Code is easier to explain: I wanted a bunch of new categories and i found eval especially useful - here is an obfuscated example
| index=my_index CONNECTED source="/var/log/vmware/my_log.log"
| eval vdi_pool=case(
match(name,"1A-VDI\d{3}"), "pool1",
match(name,"1B-VDI\d{3}"), "pool2",
match(name,"2A-VDI\d{3}"), "pool3",
match(name,"2B-VDI\d{3}"), "pool4",
match(name,"3A-VDI\d{3}"), "pool5",
match(name,"3B-VDI\d{3}"), "pool6",
1=1, "unclassified"
)
| timechart span=1h count by vdi_poolThis made the subsequent querys super easy. Irritatingly within the dashboard, if I add a new value I need to update all of the queries - this vexes me greatly 😥
I have noticed the entire definition can be downloaded as a json doc - so Im tempted to start templating this in python - this does not seem sane - ideally I'd like to create blocks of repeatable logic I can assemble together to show different scenarios.
Anyone done anything similar to achieve this kind of capability - but more "splunkonic"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you got any good links? else I'll just search
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this is reusable code, then it should be a macro - then if it changes, just change the macro definition and all uses of the macro will use the new definition.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
