With many thanks to the first answer, I am working with the following search on the same data:
host="Inv" | eval newfield = if(isnull(Model) OR len(Model)<=1,Description,Model) | chart count over Hostname by newfield limit=0
What I am doing in this search is substituting empty or bogus data in the "Model" field with the data from the "Description" field. This is in an attempt to better group my count of inventory.
The issue I run into when using the Description field, however, is that items that are the exact same type are appended with the module location:
for example:
switch1,Transceiver Gi2/5,9,A52717308 ,,Transceiver 1000BaseSX Gi2/5,
switch1,Transceiver Gi2/9,9,A52815844 ,,Transceiver 1000BaseSX Gi2/9,
both are the same type according to the Description except for one has "Gi2/5" and the other has "Gi2/9"
Any ideas on how to get splunk to ignore or strip out that last part so these two Descriptions are grouped together?
... View more