How do i edit the below append command into my real time environment
The below source are obtain from Splunk Dasboard Studio
| makeresults count=50
| eval app="Web Server"
| eval type="User"
| append
[ makeresults count=28
| eval app="Web Server"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Web Server"
| eval type="Idle"
]
| append
[makeresults count=22
| eval app="Network"
| eval type="User"
]
| append
[ makeresults count=48
| eval app="Network"
| eval type="System"
]| append
[ makeresults count=30
| eval app="Network"
| eval type="Idle"
]
| append
[makeresults count=65
| eval app="Load Balancer"
| eval type="User"
]
| append
[ makeresults count=17
| eval app="Load Balancer"
| eval type="System"
]
| append
[ makeresults count=18
| eval app="Load Balancer"
| eval type="Idle"
]
| append
[makeresults count=50
| eval app="Storage"
| eval type="User"
]
| append
[ makeresults count=27
| eval app="Storage"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Storage"
| eval type="Idle"
]
| append
[makeresults count=18
| eval app="Database"
| eval type="User"
]
| append
[ makeresults count=60
| eval app="Database"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Database"
| eval type="Idle"
]
| append
[makeresults count=50
| eval app="Security"
| eval type="User"
]
| append
[ makeresults count=12
| eval app="Security"
| eval type="System"
]
| append
[ makeresults count=38
| eval app="Security"
| eval type="Idle"
]
| append
[makeresults count=45
| eval app="Auth Server"
| eval type="User"
]
| append
[ makeresults count=32
| eval app="Auth Server"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Auth Server"
| eval type="Idle"
]
| append
[makeresults count=50
| eval app="CDN"
| eval type="User"
]
| append
[ makeresults count=28
| eval app="CDN"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="CDN"
| eval type="Idle"
]
| chart count by app, type
| eval sort_field=case(app=="Login",1,app=="Search",2,app=="Cart",3,app=="Pricing",4,app=="Checkout",5,app=="Order Management",6,app=="Gifting",7,app=="Chat",8)
| sort sort_field
| table app, User, System, Idle
My current splunk
index=sample x_host_header=www.sample.com
| eval Device = if(match(useragent,"SM-"),"Android", if(match(useragent,"Windows"),"Windows",if(match(useragent,"Mac"),"Mac",if(match(useragent,"CPH"),"Android",if(match(useragent,"Nokia"),"Android",if(match(cs_user_agent,"Pixel"),"Android",if(match(useragent,"TB-"),"Android",if(match(useragent,"VFD"),"Android",if(match(useragent,"HP%20Pro%20Slate"),"Android",if(match(cs_user_agent,"VOG-L09"),"Android",if(match(useragent,"YAL-L21"),"Android",if(match(useragent,"ATU-L22"),"Android",if(match(useragent,"MAR-LX1A"),"Android",if(match(useragent,"RNE-L22"),"Android",if(match(useragent,"INE-LX2"),"Android",if(match(useragent,"AMN-LX2"),"Android",if(match(useragent,"LYO-LO2"),"Android",if(match(useragent,"DRA-LX9"),"Android",if(match(useragent,"LYA-L29"),"Android",if(match(useragent,"ANE-LX2J"),"Android",if(match(useragent,"STK-L22"),"Android",if(match(useragent,"EML-AL00"),"Android",if(match(useragent,"BLA-L29"),"Android",if(match(useragent,"X11"),"Linux",if(match(useragent,"LDN-LX2"),"Android",if(match(useragent,"TB3-"),"Android",if(match(useragent,"5033T"),"Android",if(match(useragent,"5028D"),"Android",if(match(useragent,"5002X"),"Android",if(match(useragent,"COR-"),"Android",if(match(useragent,"MI%20MAX"),"Android",if(match(useragent,"WAS-LX2"),"Android",if(match(useragent,"vivo"),"Android",if(match(useragent,"EML-L29"),"Android",if(match(useragent ent,"Moto"),"Android",if(match(useragent,"MMB"),"Android", OTHER"))))))))))))))))))))))))))
Yes , i have created eval spl query to find out the list mobile device ( Android / Mac / Windows/ Bot / Linux/ duckgo )
Please find below eval command which is working 100% fine , spl command are shared in the my previous chat
index=sample x_host_header=www.sample.com
| eval Device = if(match(useragent,"SM-"),"Android", if(match(useragent,"Windows"),"Windows",if(match(useragent,"Mac"),"Mac",if(match(useragent,"CPH"),"Android",if(match(useragent,"Nokia"),"Android",if(match(cs_user_agent,"Pixel"),"Android",if(match(useragent,"TB-"),"Android",if(match(useragent,"VFD"),"Android",if(match(useragent,"HP%20Pro%20Slate"),"Android",if(match(cs_user_agent,"VOG-L09"),"Android",if(match(useragent,"YAL-L21"),"Android",if(match(useragent,"ATU-L22"),"Android",if(match(useragent,"MAR-LX1A"),"Android",if(match(useragent,"RNE-L22"),"Android"
What i am trying to achieve
I creating Dashboard studio for our application , where i am trying to reverse engineer from already created predefined dashboard studio
The output which i am expecting is to see the list of user who are using Android / Mac / Windows / Linux / Duckduck go
I am not sure about how to edit the below append function which will give me the output
| makeresults count=50
| eval app="Web Server"
| eval type="User"
| append
[ makeresults count=28
| eval app="Web Server"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Web Server"
| eval type="Idle"
]
| append
[makeresults count=22
| eval app="Network"
| eval type="User"
]
| append
[ makeresults count=48
| eval app="Network"
| eval type="System"
]| append
[ makeresults count=30
| eval app="Network"
| eval type="Idle"
]
| append
[makeresults count=65
| eval app="Load Balancer"
| eval type="User"
]
| append
[ makeresults count=17
| eval app="Load Balancer"
| eval type="System"
]
| append
[ makeresults count=18
| eval app="Load Balancer"
| eval type="Idle"
]
| append
[makeresults count=50
| eval app="Storage"
| eval type="User"
]
| append
[ makeresults count=27
| eval app="Storage"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Storage"
| eval type="Idle"
]
| append
[makeresults count=18
| eval app="Database"
| eval type="User"
]
| append
[ makeresults count=60
| eval app="Database"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="Database"
| eval type="Idle"
]
| append
[makeresults count=50
| eval app="Security"
| eval type="User"
]
| append
[ makeresults count=12
| eval app="Security"
| eval type="System"
]
| append
[ makeresults count=38
| eval app="Security"
| eval type="Idle"
]
| append
[makeresults count=45
| eval app="Auth Server"
| eval type="User"
]
| append
[ makeresults count=32
| eval app="Auth Server"
| eval type="System"
]
| append
[ makeresults count=23
| eval app="Auth Server"
| eval type="Idle"
]
| append
[makeresults count=50
| eval app="CDN"
| eval type="User"
]
| append
[ makeresults count=28
| eval app="CDN"
| eval type="System"
]
| append
[ makeresults count=22
| eval app="CDN"
| eval type="Idle"
]
| chart count by app, type
| eval sort_field=case(app=="Login",1,app=="Search",2,app=="Cart",3,app=="Pricing",4,app=="Checkout",5,app=="Order Management",6,app=="Gifting",7,app=="Chat",8)
| sort sort_field
| table app, User, System, Idle
Thanks
Open the dashboard and click on the edit option
Then click on the edit Data Overview button
Click on the pencil for the search you want to update
Or create a new search
Paste your search into the Search with SPL box
