Splunk Search
Highlighted

Limited Search to 2 Categories

Engager

The search below is taking anything that contains IBC Allow in the category and repurposing it to a new Category. Only thing is, I'm not able to capture the IBC Allows stuff as well from the category and repurpose it to the new Category. How can I accomplish this?

index=proxysg sourcetype=proxysg | eval Category=case(like(category,"IBC Allow%"),"IBC",1=1,"Non-IBC") | search Category=IBC | timechart persecond(eval(round(if(Category="IBC",srcbytes,0)*8/1024/1024,2))) AS IBCTrafficMb by GW

Tags (3)
0 Karma
Highlighted

Re: Limited Search to 2 Categories

Contributor

Your search would be simpler and more efficient if you started it with:

index=proxysg sourcetype=proxysg Category="IBC Allow*"

Then the subsequent search would not be necessary.

It's not clear to me exactly what you are trying to do.

0 Karma
Highlighted

Re: Limited Search to 2 Categories

SplunkTrust
SplunkTrust

Based on the filters you've applied, I guess the search cab be simplified as follow:

index=proxysg sourcetype=proxysg category="IBC Allow*" | timechart persecond(eval(round(srcbytes*8/1024/1024,2))) AS IBCTrafficMb by GW

What do you mean by " capture the IBC Allows stuff as well from the category"? There are some special information present in field category which you want to display?

0 Karma
Highlighted

Re: Limited Search to 2 Categories

Engager

In the Category field with a capital "C", there are multiple categories for instance: IBC Allow, IBC Allows, Non-IBC, softwhitelist, shopping, etc... What I'm trying to do is grab all of the IBC Allow and IBC Allows stuff and put them into one category. My current search only grabs IBC Allow; it doesn't grab both of them.

0 Karma
Highlighted

Re: Limited Search to 2 Categories

Motivator

How about:

index=proxysg sourcetype=proxysg | eval Category=if(category like "IBC All%", "IBC","Non-IBC") | ...rest of your search...
0 Karma
Highlighted

Re: Limited Search to 2 Categories

SplunkTrust
SplunkTrust

Well with condition 'like(category,"IBC Allow%")', it's capturing 'IBC Allow' 'IBC Allows' etc basically anything that starts with 'IBC Allow'. To capture other categories, you need to added conditions for those as well (e.g. category="IBC Allow*" OR category="softwhitelist" OR category="shopping"). If the no of categories to be included is high but categories to be excluded is small, you can use 'NOT' to exclude them instead of providing big inclusion list.

0 Karma
Highlighted

Re: Limited Search to 2 Categories

Engager

the like condition isn't capturing IBC Allow and IBC Allows; it's only capturing IBC Allow. I've done a search to compare the results and it's not capturing both. It's only capturing IBC Allow.

0 Karma
Highlighted

Re: Limited Search to 2 Categories

SplunkTrust
SplunkTrust

Per definition of LIKE it should [ like(category,"IBC Allow%") where % is wildcard character]. Try the search that I provided earlier and see if that's matching both 'IBC Allow' and 'IBC Allows'

0 Karma
Highlighted

Re: Limited Search to 2 Categories

Engager

It didn't work. It's still not capturing the IBC Allows. It's only capturing IBC Allow.

0 Karma
Highlighted

Re: Limited Search to 2 Categories

SplunkTrust
SplunkTrust

If you run following, does it returns rows with category="IBC Allow" only or both?

index=proxysg sourcetype=proxysg category="IBC Allow*"

0 Karma