Splunk Search

grouping search results by hostname

smudge797
Path Finder

We need to group hosts by naming convention in search results so for example hostnames:
x80* = env1
y20* = prod
L* = test
etc..

Also can this be done by | tsats command?

0 Karma
1 Solution

sundareshr
Legend

Try this

... | eval env=case(match(host, "x80*), "env1", match(host, "y20*), "prod", match(host, "L*), "test", 1=1, "UNK") 

View solution in original post

0 Karma

somesoni2
Revered Legend

Try something like this (sample tstats command, replace it with your own). The case statement works with regular expression and providing a partial regex will match any position.

| tstats count WHERE index=* by host | eval Environment=case(match(host,"x80"),"env1",match(host,"y20"),"prod",match(host,"L"),"test","ny","someotherenv",ture(),"OTHERE") | stats sum(count) as count by Environment
0 Karma

sundareshr
Legend

Try this

... | eval env=case(match(host, "x80*), "env1", match(host, "y20*), "prod", match(host, "L*), "test", 1=1, "UNK") 
0 Karma

smudge797
Path Finder

Thanks, looking promising. seems to struggle with hosts matching names in the middle so like ny

0 Karma

sundareshr
Legend

This will look for hosts that start with x80 for eg. Not in the middle. Can you share some sample or mocked up hosts to adjust the match pattern

0 Karma

smudge797
Path Finder

ah the page does not like the wild cards. common is the ny between the wildcards * ny *
RAAG14*NY1234
RABHAG94
NY1256
RACAG84
NY1277
RADAGSS4
NY1244
RAEAG14
NY*9888

page keeps cutting my post, but i hope it makes sense..

0 Karma

sundareshr
Legend

So all hosts with the characters NY should be considered in the prod group?

0 Karma

sundareshr
Legend

Try these

match(host, "\*")

match(host, "NY")
0 Karma

smudge797
Path Finder

Thanks this is working well.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...