I am trying to look up a server (using an input field - $field1$) in my dashboard and pull the most recent alerts for that server.
My data looks something like this:
datetime | server1.mycompany.com | alert |
datetime | server2.mycompany.com | alert |
datetime | server3.mycompany.com | alert |
...
The query I use is this, and it gives me what I want except for one exception:
sourcetype= index=os
| eval server=lower(server)
| search server=$field1$
| table datetime alert
The exception is that one of the servers contains multiple servers under it. For example, all alerts from "server99.mycompany.com" looks like this:
datetime | server99.mycompany.com | alert: disk exceeded threshold for server91.mycompany.com |
datetime | server99.mycompany.com | alert: disk exceeded threshold for server93.mycompany.com |
datetime | server99.mycompany.com | alert: disk exceeded threshold for server96.mycompany.com |
...
I need to write a query that says, "IF server=server99.mycompany.com, EXTRACT server**.mycompany.com from the ALERT field". I tried something like this but it's not working: eval extract_server=if(server=server99.mycompany.com, server=([A-Za-z0-9\-_]+).mycompany.com, 0)
UPDATE: This got me what I am looking for (the regex part)! But now I need to figure out how to embed it into an IF statement, so that IF the server is server99, then set the server field as the regex output
| search server="server99.mycompany.com"
| rex field=alert "(?[ A-Za-z0-9\-_]+.mycompany.com+)"
UPDATE: Figured it out!! Here's what worked:
sourcetype= index=os
| eval server=lower(server)
| search server=$field1$
| rex field=alert "(?[ A-Za-z0-9\-_]+.mycompany.com+)"
| eval new_server=if(server="server99.mycompany.com", lower(server2), lower(server))
| table datetime alert new_server
