Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to replace a value in a multivalue field?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to report on user web activity to a particular category as well as list the URLs in that category. I have the following so far.
Search...
| eval MB = bytes_to_server/1024/1024
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
This works, but I would like to consolidate some of the URLs. For example, I would like to just make lb1.cloudsite.com, lb2.cloudsite.com, etc into 1 url of cloudsite.com
I attempted using the following eval and it works, but I am left with no other results. I read up on the case function and I understand why it does that, but I am still looking for another function that will do that as well as leave me with the other results that do not match.
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this
Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
SInce you're using just one condition, you can use if condition as well.
Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
YOu need to provide the default value for the case so that if it's not matching cloudsite.com, to use current URL value. Something like this
Search...
| eval MB = bytes_to_server/1024/1024
| eval url=case(searchmatch("*.cloudsite.com"), "cloudsite.com",1=1,url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
SInce you're using just one condition, you can use if condition as well.
Search...
| eval MB = bytes_to_server/1024/1024
| eval url=if(searchmatch("*.cloudsite.com"), "cloudsite.com",url)
|stats count,sum(MB), values(url), values(user) by src_ip, urlCategories,
|sort -sum(MB)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Instead of 1==1, I use true().
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks somesoni2! This worked for me. I don't know the difference between 1==1 and true(), but 1==1 seems to be doing the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both 1=1 and True() generate boolean true (always), means if any of prior conditions are not true, the value following 1=1 OR true() will be used.
I would say true() will be more efficient method as it's generating boolean true without any evaluation.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
