In our environments, we have a standard naming convention for the servers. For example,
Front End servers: AppFE01_CA, AppFE02_NY
Middle tier servers: AppMT01_CA, AppFE09_NY
Back End servers: AppBE01_CA, AppBE08_NY
If the source contains the cpus information for all these servers, how can I use eval, if and like funcation to get avg cpus by group.
This statement works,
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", "others")| stats avg(CPUs) by host
but multiple like failed, I got invalid eval statement
sourcetype=serverscpu | eval host = if( host like "AppFE%CA", "FE_CA", host like "AppBE%CA" , "BE_CA", "others")
My goal is to get average cpus for front end, middle tier and back end servers by data center in the same graph.
Thanks in advance.
Thank you, Kristian. It works.
Please mark the answer as accepted. Thank you.
Hi,
Something along the lines of:
sourcetype=<your_sourcetype> | eval hostgroup=case(host LIKE "%BE%", "BE", host LIKE "%MT%", "MT", host LIKE "%FE%", "FE", host LIKE "%", "Others") | stats dc(host) by hostgroup
hope this helps,
Kristian
Unfortunately case does not seem to work as an expression in Color palette types and options. Any ideas for a nested if/LIKE statement?
https://docs.splunk.com/Documentation/Splunk/7.1.2/Viz/TableFormatsXML
You can shorten this:
host LIKE "%", "Others"
to
1=1, "Others"
Since both above is true, this will be true of noen of the other is true.
Use case
instead of if
.
More info on the different available eval
functions: docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions