Re: multiple like within if statement

karche · ‎10-27-2011

In our environments, we have a standard naming convention for the servers. For example,
Front End servers: AppFE01_CA, AppFE02_NY
Middle tier servers: AppMT01_CA, AppFE09_NY
Back End servers: AppBE01_CA, AppBE08_NY

If the source contains the cpus information for all these servers, how can I use eval, if and like funcation to get avg cpus by group.

This statement works,
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", "others")| stats avg(CPUs) by host

but multiple like failed, I got invalid eval statement

sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", host like "AppBE%CA" , "BE_CA", "others")

My goal is to get average cpus for front end, middle tier and back end servers by data center in the same graph.

Thanks in advance.

karche · ‎10-28-2011

Thank you, Kristian. It works.

Ayn · ‎10-28-2011

Please mark the answer as accepted. Thank you.

kristian_kolb · ‎10-28-2011

Hi,

Something along the lines of:

sourcetype=<your_sourcetype> | eval hostgroup=case(host LIKE "%BE%", "BE", host LIKE "%MT%", "MT",  host LIKE "%FE%", "FE", host LIKE "%", "Others") | stats dc(host) by hostgroup

hope this helps,

Kristian

TonyLeeVT · ‎08-04-2018

Unfortunately case does not seem to work as an expression in Color palette types and options. Any ideas for a nested if/LIKE statement?

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML

lakromani · ‎04-19-2016

You can shorten this:

host LIKE "%", "Others"

to

1=1, "Others"

Since both above is true, this will be true of noen of the other is true.

Ayn · ‎10-28-2011

Use case instead of if.

More info on the different available eval functions: docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

multiple like within if statement

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor