Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to differentiate single sourcetype based on 3 different OS using eval

dtccsundar
Path Finder
‎11-24-2021 10:35 PM

I have a single sourcetype where i need to differentiate the same sourcetype into 3 different categories based on OS field .I tried using append but since takes lot of memory by calling same sourcetype 3 different times ,i need a different approach instead of append.

My code :

index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search OS="Linux" OR OS="Solaris" AND Environment="PSE" OR Environment="Prod" AND Eligibility="Upper" AND Status="Installed"
| eval group="Unix Server"

| append
[| search index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search OS="Windows" AND Environment="PSE" OR Environment="Prod" AND Eligibility="Upper" AND Hardware_Status="Installed"
| eval group="Windows "]|stats count by group

Can this be merged into one single query without using append ? This will help me to not running same sourcetype 2 times.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-24-2021 11:00 PM

You can combine using another eval for group.

For e.g

index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search (Environment="PSE" OR Environment="Prod") AND Eligibility="Upper" AND Status="Installed"
| eval group = case(OS="Windows","Windows",OS="Linux" OR OS="Solaris","Unix Server",1=1,"Unknown")
| stats count by group
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎11-24-2021 11:00 PM

You can combine using another eval for group.

For e.g

index=A sourcetype=Server
| fillnull value=""
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others")
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment)
| search (Environment="PSE" OR Environment="Prod") AND Eligibility="Upper" AND Status="Installed"
| eval group = case(OS="Windows","Windows",OS="Linux" OR OS="Solaris","Unix Server",1=1,"Unknown")
| stats count by group
---
What goes around comes around. If it helps, hit it with Karma 🙂
Reply
Solved! Jump to solution

dtccsundar
Path Finder
‎11-25-2021 01:24 AM

This Worked !! Thank you .

Tags (1)
0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎11-24-2021 10:56 PM

Hi @dtccsundar,

You can create group field using one more case like below;

index=A sourcetype=Server 
| fillnull value="" 
| eval OS=case(like(Operating_System,"%Windows%"),"Windows",like(Operating_System,"%Linux%"),"Linux",like(Operating_System,"%Missing%"),"Others",like(Operating_System,"%Solaris%"),"Solaris",like(Operating_System,"%AIX%"),"AIX",1=1,"Others") 
| eval Environment=case(like(Environment,"%Prod%"),"Prod",like(Environment,"%Production%"),"Prod",1=1,Environment) 
| search OS IN ("Linux","Solaris","Windows") (Environment="PSE" OR Environment="Prod") Eligibility="Upper" (Status="Installed" OR Hardware_Status="Installed") 
| eval group=case((OS="Linux" OR OS="Solaris") AND Status="Installed","Unix Server",(OS="Windows" OR OS="Solaris") AND Hardware_Status="Installed","Windows") 
| stats count by group
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Enhance Your Splunk App Development: New Tools & Support

UCC FrameworkAdd-on Builder has been around for quite some time. It helps build Splunk apps faster, but it ...

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...