Solved: Re: How to condense search outputs?

odle89 · ‎06-06-2019

I would like to condense this search output in order to see all Windows versions as "Windows" and all Mac versions as "Mac".

sourcetype="fire-ext_prd_app" NOT cv 
| eval Mac = proctorCacheOS2
| eval Windows = proctorCacheOS
| spath output=proctorCacheOS path="msg0.OS" 
| spath output=proctorCacheOS2 path="msg0.OS" 
| search proctorCacheOS=Windows* OR proctorCacheOS2=Mac*
| top limit=50 proctorCacheOS

kmorris_splunk · ‎06-06-2019

Add the eval statement that I added above your last line of the search.

sourcetype="fire-ext_prd_app" NOT cv 
 | eval Mac = proctorCacheOS2
 | eval Windows = proctorCacheOS
 | spath output=proctorCacheOS path="msg0.OS" 
 | spath output=proctorCacheOS2 path="msg0.OS" 
 | search proctorCacheOS=Windows* OR proctorCacheOS2=Mac*
 | eval winmac=case(proctorCacheOS like "Windows%","Windows",proctorCacheOS like "Mac%","Mac")
 | top limit=50 proctorCacheOS

View solution in original post

odle89 · ‎06-06-2019

sourcetype="fire-ext_prd_app" NOT cv 
  | spath output=proctorCacheOS path="msg0.OS" 
  | spath output=proctorCacheOS2 path="msg0.OS" 
  | eval winmac=case(proctorCacheOS like "Windows%","Windows",proctorCacheOS like "Mac%","Mac")
  | top limit=50 winmac

I had to change a couple things but that worked! Thanks much!!

kmorris_splunk · ‎06-06-2019

Add the eval statement that I added above your last line of the search.

sourcetype="fire-ext_prd_app" NOT cv 
 | eval Mac = proctorCacheOS2
 | eval Windows = proctorCacheOS
 | spath output=proctorCacheOS path="msg0.OS" 
 | spath output=proctorCacheOS2 path="msg0.OS" 
 | search proctorCacheOS=Windows* OR proctorCacheOS2=Mac*
 | eval winmac=case(proctorCacheOS like "Windows%","Windows",proctorCacheOS like "Mac%","Mac")
 | top limit=50 proctorCacheOS

How to condense search outputs?

Reduce and Transform Your Firewall Data with Splunk Data Management

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Are you a member of the Splunk Community?

How to condense search outputs?

Reduce and Transform Your Firewall Data with Splunk Data Management

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions