I have a single sourcetype where i need to differentiate the same sourcetype into 3 different categories based on OS field .I tried using append but since takes lot of memory by calling same sourcety...
See more...
I have a single sourcetype where i need to differentiate the same sourcetype into 3 different categories based on OS field .I tried using append but since takes lot of memory by calling same sourcetype 3 different times ,i need a different approach instead of append. My code : index=A sourcetype=Server | fillnull value="" | eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others") | eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment) | search OS="Linux" OR OS="Solaris" AND Environment="PSE" OR Environment="Prod" AND Eligibility="Upper" AND Status="Installed" | eval group="Unix Server" | append [| search index=A sourcetype=Server | fillnull value="" | eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others") | eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment) | search OS="Windows" AND Environment="PSE" OR Environment="Prod" AND Eligibility="Upper" AND Hardware_Status="Installed" | eval group="Windows "]|stats count by group Can this be merged into one single query without using append ? This will help me to not running same sourcetype 2 times.