The search below is taking anything that contains IBC Allow in the category and repurposing it to a new Category. Only thing is, I'm not able to capture the IBC Allows stuff as well from the category and repurpose it to the new Category. How can I accomplish this?
index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | search Category=IBC | timechart per_second(eval(round(if(Category="IBC",src_bytes,0)*8/1024/1024,2))) AS IBC_Traffic_Mb by GW
If I run this it will return results back for IBC Allow and IBC Allows.
If you run following, does it returns rows with category="IBC Allow" only or both?
index=proxysg sourcetype=proxysg category="IBC Allow*"
It didn't work. It's still not capturing the IBC Allows. It's only capturing IBC Allow.
Per definition of LIKE it should [ like(category,"IBC Allow%") where % is wildcard character]. Try the search that I provided earlier and see if that's matching both 'IBC Allow' and 'IBC Allows'
the like condition isn't capturing IBC Allow and IBC Allows; it's only capturing IBC Allow. I've done a search to compare the results and it's not capturing both. It's only capturing IBC Allow.
Well with condition 'like(category,"IBC Allow%")', it's capturing 'IBC Allow' 'IBC Allows' etc basically anything that starts with 'IBC Allow'. To capture other categories, you need to added conditions for those as well (e.g. category="IBC Allow*" OR category="softwhitelist" OR category="shopping"). If the no of categories to be included is high but categories to be excluded is small, you can use 'NOT' to exclude them instead of providing big inclusion list.
How about:
index=proxysg sourcetype=proxysg | eval Category=if(category like "IBC All%", "IBC","Non-IBC") | ...rest of your search...
In the Category field with a capital "C", there are multiple categories for instance: IBC Allow, IBC Allows, Non-IBC, softwhitelist, shopping, etc... What I'm trying to do is grab all of the IBC Allow and IBC Allows stuff and put them into one category. My current search only grabs IBC Allow; it doesn't grab both of them.
Based on the filters you've applied, I guess the search cab be simplified as follow:
index=proxysg sourcetype=proxysg category="IBC Allow*" | timechart per_second(eval(round(src_bytes*8/1024/1024,2))) AS IBC_Traffic_Mb by GW
What do you mean by " capture the IBC Allows stuff as well from the category"? There are some special information present in field category which you want to display?
Your search would be simpler and more efficient if you started it with:
index=proxysg sourcetype=proxysg Category="IBC Allow*"
Then the subsequent search would not be necessary.
It's not clear to me exactly what you are trying to do.