I have a single sourcetype where i need to differentiate the same sourcetype into 3 different categories based on OS field .I tried using append but since takes lot of memory by calling same sourcetype 3 different times ,i need a different approach instead of append.
My code :
index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search OS="Linux" OR OS="Solaris" AND Environment="PSE" OR Environment="Prod" AND Eligibility="Upper" AND Status="Installed"
| eval group="Unix Server"
| append
[| search index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search OS="Windows" AND Environment="PSE" OR Environment="Prod" AND Eligibility="Upper" AND Hardware_Status="Installed"
| eval group="Windows "]|stats count by group
Can this be merged into one single query without using append ? This will help me to not running same sourcetype 2 times.
You can combine using another eval for group.
For e.g
index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search (Environment="PSE" OR Environment="Prod") AND Eligibility="Upper" AND Status="Installed"
| eval group = case(OS="Windows","Windows",OS="Linux" OR OS="Solaris","Unix Server",1=1,"Unknown")
| stats count by group
You can combine using another eval for group.
For e.g
index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search (Environment="PSE" OR Environment="Prod") AND Eligibility="Upper" AND Status="Installed"
| eval group = case(OS="Windows","Windows",OS="Linux" OR OS="Solaris","Unix Server",1=1,"Unknown")
| stats count by group
Hi @dtccsundar,
You can create group field using one more case like below;
index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search OS IN ("Linux","Solaris","Windows") (Environment="PSE" OR Environment="Prod") Eligibility="Upper" (Status="Installed" OR Hardware_Status="Installed")
| eval group=case((OS="Linux" OR OS="Solaris") AND Status="Installed","Unix Server",(OS="Windows" OR OS="Solaris") AND Hardware_Status="Installed","Windows")
| stats count by group