Hi all,
I searching web server's centralized logs and getting results from multiple servers. But those servers belongs to different deployments. For example:
- srv1, srv7, srv9, ... belongs to deployment Fin
- srv15, srv19, srv21, ... belongs to deployment Jpn
- srv100, srv 102, srv110, ... belongs to deployment Bra
On the results I can see the hosts, but I'm looking possibilities to group the servers into own deployments. Is that something I could do during the search by giving an array where servers are listed, or some other way? Or is this something I should do earlier?
Hi @Petri-X,
2 of many options:
1.) Create a Lookup table with 2 columns: host, deployment.
In your SPL you would then add this to add the deployment:
| lookup host_deployment.csv host OUTPUT deployment
2.) You could use case, I guess makes only sense if the list is rather small...
| eval deployment=case(host="srv1", "Fin", host="srv15", "Jpn")
The case option could be even made a bit smarter, if you extract the number of the server, and then work with ranges....but in general I would work with the 1.) option .
BR
Ralph
--
Karma and/or Solution tagging appreciated.
Ooh !! This was super quick !!
Huge thanks @rnowitzki and @ITWhisperer for your help !
I believe I'll use the case option !
And another option is to use tags for those deployments. Just add tag as wanted deployment per server.
r. Ismo
https://www.splunk.com/view/SP-CAAAGYJ
https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Abouttagsandaliases
...
| eval deployment=case(in(server,"srv1","srv7","srv9"),"Fin",in(server,"srv15","srv19","srv21"),"Jpn",in(server,"srv100","srv102","srv110"),"Bra")