multiple like within if statement

karche · ‎10-27-2011

In our environments, we have a standard naming convention for the servers. For example,
Front End servers: AppFE01_CA, AppFE02_NY
Middle tier servers: AppMT01_CA, AppFE09_NY
Back End servers: AppBE01_CA, AppBE08_NY

If the source contains the cpus information for all these servers, how can I use eval, if and like funcation to get avg cpus by group.

This statement works,
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", "others")| stats avg(CPUs) by host

but multiple like failed, I got invalid eval statement

sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", host like "AppBE%CA" , "BE_CA", "others")

My goal is to get average cpus for front end, middle tier and back end servers by data center in the same graph.

Thanks in advance.

karche · ‎10-28-2011

Thank you, Kristian. It works.

Ayn · ‎10-28-2011

Please mark the answer as accepted. Thank you.

kristian_kolb · ‎10-28-2011

Hi,

Something along the lines of:

sourcetype=<your_sourcetype> | eval hostgroup=case(host LIKE "%BE%", "BE", host LIKE "%MT%", "MT",  host LIKE "%FE%", "FE", host LIKE "%", "Others") | stats dc(host) by hostgroup

hope this helps,

Kristian

TonyLeeVT · ‎08-04-2018

Unfortunately case does not seem to work as an expression in Color palette types and options. Any ideas for a nested if/LIKE statement?

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML

lakromani · ‎04-19-2016

You can shorten this:

host LIKE "%", "Others"

to

1=1, "Others"

Since both above is true, this will be true of noen of the other is true.

Ayn · ‎10-28-2011

Use case instead of if.

More info on the different available eval functions: docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

multiple like within if statement

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies