Search Query Assistance - break data into table.

herndona · ‎02-12-2015

I am working on a search that will take a massive list of user groups and table the servers under such group.
An example input:

Group:  appldev ===> uslx233, uslx235, uslx238, uslx239, xls001cn03, xls001cn04
Group:  appldvs ===> xla001cn01, xla001cn02, xla001cn07, xls001cn01, xls001cn02, xls001cn03, xls001cn04
Group:  cmod ===> uslx30a, uslx31a, uslx32a, uslx33a, uslx34a, uslx1064, uslx1065, uslx1067

In the example, appldev is the group name and everything else after ===> are the servers it pertains to. This all comes in as a single Splunk log entry (it is about 58 lines long).
I will be writing an XML based form in Splunk using the group names as radio buttons. When a group name is selected, it will bring up a table of all servers. I can get the radio button and dynamic dashboard into place, however, I am looking for suggestions on breaking out just the servers requested by the radio button.

For example, if you ignore the radio button scenario above, how would I get a search to do the following:

pseudo search:

group='appldev' | table related_hosts

output:

related_hosts:

uslx233
uslx235
uslx238
...
...
..

Any suggestions are appreciated.
Thanks!

sideview · ‎02-12-2015

if the field really is called "related_hosts", then it would look like

group='appldev' | stats count by related_hosts

If the field is simply "host", then

group='appldev' | stats count by host

and if you want to sort by count,

    group='appldev' | stats count by host | sort 0 - count