Splunk Search

multiple like within if statement

karche
Path Finder

In our environments, we have a standard naming convention for the servers. For example,
Front End servers: AppFE01_CA, AppFE02_NY
Middle tier servers: AppMT01_CA, AppFE09_NY
Back End servers: AppBE01_CA, AppBE08_NY

If the source contains the cpus information for all these servers, how can I use eval, if and like funcation to get avg cpus by group.

This statement works,
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", "others")| stats avg(CPUs) by host

but multiple like failed, I got invalid eval statement

sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", host like "AppBE%CA" , "BE_CA", "others")

My goal is to get average cpus for front end, middle tier and back end servers by data center in the same graph.

Thanks in advance.

Tags (1)
0 Karma

karche
Path Finder

Thank you, Kristian. It works.

0 Karma

Ayn
Legend

Please mark the answer as accepted. Thank you.

0 Karma

kristian_kolb
Ultra Champion

Hi,

Something along the lines of:

sourcetype=<your_sourcetype> | eval hostgroup=case(host LIKE "%BE%", "BE", host LIKE "%MT%", "MT",  host LIKE "%FE%", "FE", host LIKE "%", "Others") | stats dc(host) by hostgroup

hope this helps,

Kristian

TonyLeeVT
Builder

Unfortunately case does not seem to work as an expression in Color palette types and options. Any ideas for a nested if/LIKE statement?

https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML

0 Karma

lakromani
Builder

You can shorten this:

host LIKE "%", "Others"

to

1=1, "Others"

Since both above is true, this will be true of noen of the other is true.

0 Karma

Ayn
Legend

Use case instead of if.

More info on the different available eval functions: docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...