Solved: grouping search results by hostname

smudge797 · ‎09-05-2016

We need to group hosts by naming convention in search results so for example hostnames:
x80* = env1
y20* = prod
L* = test
etc..

Also can this be done by | tsats command?

sundareshr · ‎09-05-2016

Try this

... | eval env=case(match(host, "x80*), "env1", match(host, "y20*), "prod", match(host, "L*), "test", 1=1, "UNK")

View solution in original post

somesoni2 · ‎09-05-2016

Try something like this (sample tstats command, replace it with your own). The case statement works with regular expression and providing a partial regex will match any position.

| tstats count WHERE index=* by host | eval Environment=case(match(host,"x80"),"env1",match(host,"y20"),"prod",match(host,"L"),"test","ny","someotherenv",ture(),"OTHERE") | stats sum(count) as count by Environment

sundareshr · ‎09-05-2016

Try this

... | eval env=case(match(host, "x80*), "env1", match(host, "y20*), "prod", match(host, "L*), "test", 1=1, "UNK")

smudge797 · ‎09-05-2016

Thanks, looking promising. seems to struggle with hosts matching names in the middle so like ny

sundareshr · ‎09-05-2016

This will look for hosts that start with x80 for eg. Not in the middle. Can you share some sample or mocked up hosts to adjust the match pattern

smudge797 · ‎09-05-2016

ah the page does not like the wild cards. common is the ny between the wildcards * ny *
RAAG14*NY1234
RABHAG94NY1256
RACAG84NY1277
RADAGSS4NY1244
RAEAG14NY*9888

page keeps cutting my post, but i hope it makes sense..

sundareshr · ‎09-05-2016

So all hosts with the characters NY should be considered in the prod group?

sundareshr · ‎09-05-2016

Try these

match(host, "\*")

match(host, "NY")

smudge797 · ‎09-06-2016

Thanks this is working well.

grouping search results by hostname

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...