Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

group source types

athorat
Communicator
‎05-14-2015 12:23 AM

Hi

I am getting the list of sourcetype and its usage in GB.
index=_internal source=*metrics.log | eval GB=kb/(1024*1024) | search group="per_sourcetype_thruput" | timechart span=1d sum(GB) by series limit=0 | sort -sourcetype

Want to group/categorize certain source types , like those with ecsweb:prod:E1, ecsweb:prod:E2 and ecsweb:prod:E3 in Category Prod.

Tried using the following query which does not work.
index=_internal source=metrics.log | eval GB=kb/(1024*1024) | search group="per_sourcetype_thruput" | timechart span=1d sum(GB) by series limit=0 | sort +sourcetype| eval series =if(series ="ecsweb:", "PROD", series)

Tags (2)
0 Karma
Reply

athorat
Communicator
‎05-14-2015 10:22 AM

I am not sure about rex because the soruce types are being captured only challenge is to bucket them by name/similar names types into specific categories.

0 Karma
Reply

mmccul
SplunkTrust
SplunkTrust
‎05-14-2015 10:28 AM

That's the point. You're capturing the sourcetypes into a field. A transform to define a new field with the reduced portion allows you to clump them according to the pattern you identified into a new field. rex field=sourcetype "^[^:]+:(?<newsrctyp>.*)" would strip out the portion up to and including the first colon for you and place into the field newsrctyp, which is now grouped.

0 Karma
Reply

athorat
Communicator
‎05-14-2015 03:21 PM

Hey So the sources are coming in a field called series

index=_internal source=*metrics.log | eval GB=kb/(1024*1024) | search group="per_sourcetype_thruput" | timechart span=1d sum(GB) by series limit=0 | sort -sourcetype|

so the source type here should be Series? Tried both, no luck.
rex field=sourcetype "^[^:]+:(?<newsrctyp>.*)"

Correct me if I am wrong.

Thanks,
Anil.

0 Karma
Reply

mmccul
SplunkTrust
SplunkTrust
‎05-14-2015 10:14 AM

Run a rex to create a new field based on the sourcetype to capture the portion of the sourcetype you care about. Use that new transformed sourcetype field instead.

0 Karma
Reply

athorat
Communicator
‎05-14-2015 10:10 AM

Filtering by sourcetype=ecsweb:prod:E* does return any results.
So the goal is, when the first query returns the results. The source types should be categorised into buckets.
like ECSweb:PROD :to PROD
ECSweb:PERF: to PERF.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎05-14-2015 04:34 PM

You can try this, again this shouldnt be in your _internal index...

index=_internal source=metrics.log group="per_sourcetype_thruput" | rex field=sourcetype "ecsweb:(?<newsrc>.*)" | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) by newsrc | sort -newsrc

0 Karma
Reply

athorat
Communicator
‎05-14-2015 05:21 PM

Throws an error as it has by series and by newsrc

Didnt get you this shouldnt be in your _internal index...???

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎05-14-2015 05:50 PM

Updated search, please try.

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎05-14-2015 01:13 AM

Something like this? However this sourcetype shouldnt be in _internal...

index=_internal source=metrics.log group="per_sourcetype_thruput" sourcetype=ecsweb:prod:E* | eval GB=kb/(1024*1024) | timechart span=1d sum(GB) by series limit=0 | sort +sourcetype

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Community Maintenance: 10/28

Howdy folks, just popping in to let you know that the Splunk Community site will be in read-only mode ...

Best Practices for Metrics Pipeline Management

We can’t guarantee the health of our services or a great user experience without data from our applications. ...

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...