Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my search to sort performance logs from one set of servers into one category, and everything else into another category?

ShagVT
Path Finder
‎01-21-2016 01:52 PM

I'm trying to write a search that will look at performance logs for my servers, putting the data from one set of servers into one bin, and everything else into a second bin.

Here's my attempt:

index=myindex sourcetype=performance_file ExecutionTime | eval category=(host="host1" OR host="host2" OR host="host3" OR host="host4", "SpecialServers", host!="host1" AND host!="host2" AND host!="host3" AND host!="host4", "OtherServers") | timechart span=1m avg(resptime) by category

I'm surprised by the error I'm getting:

Error in 'eval' command: The expression is malformed. Expected ).

Am I on the right track at all? I'm a bit of a rookie at advanced queries like this.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MattZerfas
Communicator
‎01-21-2016 02:28 PM

Try This 

index=myindex sourcetype=performance_file ExecutionTime | eval category=if(host="host1" OR host="host2" OR host="host3" OR host="host4", "SpecialServers", "OtherServers") | timechart span=1m avg(resptime) by category

You were on the right track but I just modified your eval to use an if statement.

Here is the link with the syntax for if statements and many others.
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions

View solution in original post

Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-21-2016 02:30 PM

You forgot the "case" and the double =

eval category = case(host ...

take a look at example 11 here: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval

0 Karma
Reply
Solved! Jump to solution

MattZerfas
Communicator
‎01-21-2016 02:31 PM

No need for a case if he just wants 2 groups of items. If he wanted 3 or more then a case statement would work better than an if statement.

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎01-21-2016 02:35 PM

True. I didn't notice there were just two groups. Just saw a long eval and "assumed" there were more.

0 Karma
Reply
Solved! Jump to solution

MattZerfas
Communicator
‎01-21-2016 02:37 PM

Yup I did the same thing until I read through his query 🙂 All good.

0 Karma
Reply
Solved! Jump to solution
Solution

MattZerfas
Communicator
‎01-21-2016 02:28 PM

Try This 

index=myindex sourcetype=performance_file ExecutionTime | eval category=if(host="host1" OR host="host2" OR host="host3" OR host="host4", "SpecialServers", "OtherServers") | timechart span=1m avg(resptime) by category

You were on the right track but I just modified your eval to use an if statement.

Here is the link with the syntax for if statements and many others.
http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/Commonevalfunctions

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...