Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- multiple like within if statement
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multiple like within if statement
In our environments, we have a standard naming convention for the servers. For example,
Front End servers: AppFE01_CA, AppFE02_NY
Middle tier servers: AppMT01_CA, AppFE09_NY
Back End servers: AppBE01_CA, AppBE08_NY
If the source contains the cpus information for all these servers, how can I use eval, if and like funcation to get avg cpus by group.
This statement works,
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", "others")| stats avg(CPUs) by host
but multiple like failed, I got invalid eval statement
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", host like "AppBE%CA" , "BE_CA", "others")
My goal is to get average cpus for front end, middle tier and back end servers by data center in the same graph.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, Kristian. It works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please mark the answer as accepted. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Something along the lines of:
sourcetype=<your_sourcetype> | eval hostgroup=case(host LIKE "%BE%", "BE", host LIKE "%MT%", "MT", host LIKE "%FE%", "FE", host LIKE "%", "Others") | stats dc(host) by hostgroup
hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately case does not seem to work as an expression in Color palette types and options. Any ideas for a nested if/LIKE statement?
https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can shorten this:
host LIKE "%", "Others"
to
1=1, "Others"
Since both above is true, this will be true of noen of the other is true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use case instead of if.
More info on the different available eval functions: docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
