- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
i kind of already have this working but wondering what else can be done with this?what other approaches i can implement?
So,In order to simplify analysis I have been testing a search macro and I’m wondering of some of the features could be implemented in better ways in Splunk. It would be nice if we just inherently had these more “friendly” fields.
I created a Search macro named “SAP” which:
• Filters to only return where index like “stone*” to only show our logs
• Converts host name to environment (DEV, QA, UAT, PRODINT, PROD)
Available as a new field named “environment”
• Converts host name to application (FAM, KLM App,KLM Web)
Available as a new field named “application”
• Converts host name to friendlyhost (DEV FAM, DEV KLM App, DEV KLM Web, QA FAM, etc…)
Available as a new field named “friendlyhost”
one of the examples i use is
"ERROR" | SAP | timechart count by friendlyhost or by environment/application
this works fine, but i was wondering if there is a more elegant way of doing this.If i can build these “environment”, “application”, “friendlyhost” fields behind the scenes so i don’t need to use the search macro as the macro complicates the query a bit.
Thanks for all the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calling the macro AFTER the search condition will be costly. (as all events will be returned, then passed to the macro for later filtering)
It may be better to make one macro that goes in the main search condition (before the | ), to do the filter.
For the host/envitonment extractions, if they are simple regex, you could use an automated field extraction instead of a macro.
For the host/environment/application conversion to a friendly name, you could also use an automated lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Calling the macro AFTER the search condition will be costly. (as all events will be returned, then passed to the macro for later filtering)
It may be better to make one macro that goes in the main search condition (before the | ), to do the filter.
For the host/envitonment extractions, if they are simple regex, you could use an automated field extraction instead of a macro.
For the host/environment/application conversion to a friendly name, you could also use an automated lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Yannk,i will look into lookups and maybe field aliases
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks yannk.automated field extraction will not work for me.i have 14 servers with long ass names and when i want to bring up a report for all these environments i have to type every single one of those server names in my search.maybe i can create an eventtype for some of the environments.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your comment (which shouldn't have been posted as an answer) doesn't make too much sense to me.
The macro you described in your question only populates some additional fields, derived from the host field. That sounds like a perfect case to implement using automated extractions and/or lookups.
Why would implementing these conversions as automated lookups/extractions rather than using the macro mean you have to type every single servername into your search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i didn't mean to post my reply as an answer.
