Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- multiple like within if statement
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
multiple like within if statement
karche
Path Finder
10-27-2011
10:27 PM
In our environments, we have a standard naming convention for the servers. For example,
Front End servers: AppFE01_CA, AppFE02_NY
Middle tier servers: AppMT01_CA, AppFE09_NY
Back End servers: AppBE01_CA, AppBE08_NY
If the source contains the cpus information for all these servers, how can I use eval, if and like funcation to get avg cpus by group.
This statement works,
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", "others")| stats avg(CPUs) by host
but multiple like failed, I got invalid eval statement
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", host like "AppBE%CA" , "BE_CA", "others")
My goal is to get average cpus for front end, middle tier and back end servers by data center in the same graph.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karche
Path Finder
10-28-2011
10:45 AM
Thank you, Kristian. It works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
10-28-2011
11:18 AM
Please mark the answer as accepted. Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
10-28-2011
12:34 AM
Hi,
Something along the lines of:
sourcetype=<your_sourcetype> | eval hostgroup=case(host LIKE "%BE%", "BE", host LIKE "%MT%", "MT", host LIKE "%FE%", "FE", host LIKE "%", "Others") | stats dc(host) by hostgroup
hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TonyLeeVT
Builder
08-04-2018
10:27 AM
Unfortunately case does not seem to work as an expression in Color palette types and options. Any ideas for a nested if/LIKE statement?
https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lakromani
Builder
04-19-2016
05:03 AM
You can shorten this:
host LIKE "%", "Others"
to
1=1, "Others"
Since both above is true, this will be true of noen of the other is true.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn
Legend
10-28-2011
12:05 AM
Use case instead of if.
More info on the different available eval functions: docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Get Updates on the Splunk Community!
Transforming Financial Data into Fraud Intelligence
Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...
How to send events & findings from AWS to Splunk using Amazon EventBridge
Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
